Chinese Hacker Group Abusing Cloud Services to Steal Passenger Data From the Airline Industry

According to the recent threat report of the cybersecurity researchers at Fox-IT, there is a hacking group from China that has been attacking nearly all airline companies for the past few years. 

The experts have also claimed in their report that the main purpose behind the campaign was to collect all passenger data so that the hackers can track all specific peoples.

However, the group is still suspicious, but the threat actors have been striking the data under the name of Chimera. Moreover, the experts also noted that the group is operating for the Chinese state. And all the activities of the group were summarized in a Black Hat presentation from CyCraft in 2020.

Hackers used RAM of Flight booking Servers to scrap users’ data

The attacks were organized against the semiconductor industry, and the hackers aimed towards the appropriation of intellectual property (IP). On the other side, the attacks against the airline industry were concentrated on something else. 


The experts affirmed that the PNR data that has been obtained is likely to differ according to the victim, but the researchers have scrutinized the usage of several custom DLL files that has been used to continuously recover PNR data from the RAM of systems where all this kind of data is generally processed.

Modus Operandi

Many companies, including NCC and Fox-IT, asserted that targeting all victims seems to obtain passenger Name Records (PNR). But, there are several custom DLL (Dynamic-link library) files that have been used to recover PNR data from the memory of systems continuously.  

The companies have claimed that the hacker groups are conducting cyberattacks, which usually commences with collecting user login details that are leaked in public domains after data breaches at other companies.

Cloud services used by hackers

In this event, the hackers used the following cloud services to execute their operations:-

  • Dropbox
  • Google Drive
  • OneDrive

Cobalt Strike is one of the best methods that have been used by hackers during the intrusion. And it’s a framework composed of adversary simulation; it is dedicated to penetration testers and red teams.

Cobalt Strike beacon is placed in memory by using a PowerShell one-liner; the hackers used three versions of it, and here we have mentioned them below:-

  • Cobalt Strike v3.8, observed Q2 2017
  • Cobalt Strike v3.12 observed Q3 2018
  • Cobalt Strike v3.14, observed Q2 2019

Tracking targets of interest

After all the reports and investigations, the companies are still not speculating why the threat actors are targeting all the airline industry. It is true that targetting an airline company, hotel chains, and telcos are very common for state-sponsored hacking groups. 

By attacking them, the threat actors obtain data that they could use to track the movements and communications of every person of interest. Moreover, the Chinese state-sponsored hackers were also linked to the Marriott hack, and the hackers successfully stole troves of hotel reservation details.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here