Future Skies: Will I Fly Today?

A comprehensive guide to cybersecurity risks in aviation and how existing weakness in digital infrastructure may ground your travels.

This Issue: Identifying the Aviation Threat Actors

Last Issue: Aviation Threat Surface

In this series of articles, we uncover the gaps in digital defense across the aviation sector. Drawing on in-depth research and analysis of government documents, TSA emergency proclamations, and known threat actors, we unveil the disconcerting risks passengers face throughout their journey—from ticketing to TSA checkpoints, and from in-flight experiences to airline communication with control towers. In this issue, we dive into the Aviation Threat Actors. We'll follow a fictional passenger in subsequent articles, revealing the hidden risks they face along their journey.

Editor's Note: In embarking on this investigative threat landscape exercise for the aviation sector, my aim is not to incite fear but to raise awareness about the industry's significant vulnerabilities. I encourage the reader to point out inaccuracies or overstated risks. Join me in uncovering the startling truth behind aviation cybersecurity. My next series is on the Modern Supply Chain.

Don't miss an installment—subscribe now and stay informed.

Hackers

A hacker attacks an organization via a weakness, or vulnerability. Hackers no longer “hack” into a company, enterprise, utility, or government agency, they log in using a compromised account. While this method of entry may only provide low-level access initially, they use exploits to gain higher-level Admin control within the environment. Thanks to social media, data brokers, ad malware and our humanistic behavior to click on interesting links, we are easily owned.

Everyone knows of the threat of ransomware. But few realize it’s the last step of a cybersecurity attack. Every ransomware attack is due to poor cybersecurity hygiene and when you read of the next ransomware attack, write that organization off as one with a poor cybersecurity culture and posture. Also note that most organizations do not report on ransomware attacks due to this very notion of embarrassment.?Uber's former CISO is being sentenced this week for covering up a breach.

The cloud with its constant connectivity has provided for greater efficiencies in life and business. We can bank from anywhere, conduct business from the beach, and monitor our sleeping child. We can also start your car, unlock it, and check its gas level. Hackers can have their way with most automakers’ vehicles as we revealed in this article. What was surprising is how they were able to access critical systems within the automaker’s environment through your parked car. While your car may be considered an extremely valuable asset to your daily life, it’s not considered a critical component of our nation's economy, national security, and public safety. Aviation is considered critical infrastructure as part of the Transportation Sector.?

Bad Actors are an Army of Funded Hackers

War is messy and costly and with our surveilled society, one nation can witness in real-time as another stockpiles resources along a border. As we’ve witnessed with Russia’s attack on Ukraine, or America’s involvement in Afghanistan or even Vietnam, war is not certain. The cost of casualties is significant. If an adversary’s goal is to prove their might, they don’t need guns or nukes, just break out the keyboards and aim for a nation's critical infrastructure. Cyberwarfare is a much more immediate and cost-effective approach to causing inconvenience, achieving command and control of critical services, or even stealing money from an adversary. It is this reason that the cyberwarfare threat has recently beat out fear of nuclear attacks on the list of American’s concerns.

Our critical infrastructure is at significant risk of being attacked by an adversary.

The Invisible Enemy

As we examine the state of the aviation sector, it is crucial to understand the ever-evolving threat surface that impacts this vital industry. In the past, it was easy to point to the physical adversarial - “The Cold War,” “Cuban Missile Crisis,” or simply, “Russia,” was clear. The battle lines are now digital and possess similar consequences. Advanced Persistent Threats (APTs) are sophisticated and well-resourced cyber adversaries, often linked to nation-state cyberwarfare. Simply put, our enemies are attacking us via keyboards and not guns, and these groups are often managed by their military.

APTs are tracked by our government and private industry and pose a significant risk to critical infrastructure, to include the aviation sector. These threat actors target critical infrastructure, private corporations, utilities, and government institutions to achieve their objectives, using advanced tactics, techniques, and procedures to infiltrate and maintain access. Their motivations can range from espionage and data theft to sabotage or disruption of operations, furthering the nation-state's strategic goals.

APTs are a means of cyberwarfare and we’ve been at war since Stuxnet. If you are interested in learning more about these Bad Actors, watch Zero-Days (2016) and The Perfect Weapon (2020). Better yet, read Nicole Perlroth's book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (2021).

Each Nation-State APT group has their own motives, and the maturity of the groups reside on a continuum of capabilities. Some teams report into their military, some abide by common motives, and some are splintered. Getting into our critical infrastructure, lurking about the environments undetected, manipulating sensitive information, extracting data is child’s play to these Bad Actors. Assume that the United States has these same capabilities.?

DHS, FBI, CISA and various private industry threat intelligence reports have warned of these organizations and how they use the above methods to not only log in but remain lurking in your organization waiting with the ability to attack or steal data.

State of Cybersecurity – Assume Breach

2023 Homeland Security Symposium and Expo

Christopher Wray, Director of the FBI, February 16, 2023

“Cyber adversaries have also obtained an increasing capacity for stealth in recent years, facilitating more comprehensive access to U.S. networks. They’ve demonstrated the ability to maintain persistent access across various networks and environments by using seemingly legitimate credentials, accessing administrator accounts, and laterally traversing networks. They will park on a system quietly and then just wait for the right opportunity. So, to sum up the cyber threat picture: There’s a persistent, multi-vector, blended threat that’s constantly evolving and a continual challenge to assess, so we’re battling back against a constant barrage of attacks.”

China is Targeting our Critical Infrastructure

“In this cyber threat landscape, China is the most dangerous actor to industry.” FBI Director Christopher Wray warns about the cyber threat posed by China. He accuses China of using cyberattacks, espionage, and other tools to steal technology and data from various industries, and of causing widespread damage to U.S. networks and systems. There’s massive agreement on this risk to our critical infrastructure from both Public and Private Sectors.

We are in 'The Gray Zone' as BlackOps Partners states and claim that we are in the most unstable period since WWII. "Attacking everything in your company short of conventional war - under no rules."

I subscribe to this 'gray zone' theory. Consider how the U.S. retaliated to the SolarWinds supply chain attack (Russia), Microsoft Exchange Server attack (China), Colonial Pipeline (Eastern Europe), Sony Pictures (North Korea). And consider what happens when your private and sensitive data are stolen? I hear Oprah yelling, "You get free credit monitoring, and you get free credit monitoring!"

Jacob Horne, host of the podcast, Sum It Up, had a recent post on LinkedIn that made me wonder how he stole those thoughts from my mind. In his "Crazed Man in Times Square" (and I was just in Times Square), he challenged his audience to pick the critical infrastructure sector that aligned to this quote:

"?????????????? [???????????????? ???????????????????????????? ????????????] ???????????????????????????? ???? ?????? ?????????????????????????? ???? ??????????- ?????? ????????????-?????????? ?????????????????? ???? ????. 74% ???? [???????????????? ???????????????????????????? ????????????] ?????????????????? ???? ?????? ???????????? ???????????? ???????? ?????????? ???????? 20 ?????????????????? ?????? 97% ???????? ?????????? ???????? 500."

No, it's not banana. Jacob's argument was that you cannot bet on security through obscurity and that SMB companies outsourcing IT to managed service providers (MSPs) create a hacker's paradise, as breaching one MSP jeopardizes countless clients, endangering businesses of all sizes.

While I was correct in my guess, it was only due to me beginning my research on the Food and Ag Sector just days prior.

Known Threat Actors

It was alarming to me to hear of China’s plans to attack our satellites. This was revealed in the leaked documentation from the 21-year-old Massachusetts Airman, Jack Teixeira. This young airman had Top Secret clearance (as 1.2 million people did in 2019). Note that this planned attack was not a James Bond style of attack, blowing up or disabling the satellite. Hacking is more of gaining access and lurking until the right opportunity presents itself.

You may have heard of the chip-level vulnerabilities from China involving Huawei. While this takes an extremely long time to play out, it’s ingenious. Just yesterday, CISA issued an alert for organizations to incorporate the FCC Covered List into risk management plans. “Telecommunications equipment produced by Huawei Technologies Company, including telecommunications or video surveillance services provided by such entity or using such equipment.”

The U.S. Government is currently tracking these known APTs, operating from within China. They have been associated to the transportation and telecommunications sectors. Included in each APT is the Attack Kill Chain (AKC) mapping depicting the advanced tactics, techniques, and procedures (TTPs) that the attacker relies on.

APT40; Operational since 2013; AKC Mapping.

• Known activities: APT40/Leviathan primarily targets organizations in the maritime, defense, and aerospace, aviation industries, with a focus on the United States and Western Europe. They aim to steal sensitive information, intellectual property, and trade secrets.
• Mode of operation and TTPs: APT40/Leviathan uses spear-phishing emails with malicious attachments, watering hole attacks, and compromised websites to infiltrate target networks. They employ custom malware like BADFLICK, PHOTO, and AIRBREAK, and open-source tools like MIMIKATZ and SEASHARPEE.

Tropic Trooper; Operational since 2012; AKC Mapping.

• Known activities: Tropic Trooper has targeted government institutions, military organizations, and heavy industries in Taiwan, the Philippines, and Hong Kong. Their primary focus is on cyber espionage and the theft of sensitive information.
• Mode of operation and TTPs: They use spear-phishing emails with malicious attachments, as well as watering hole attacks. Tropic Trooper has employed custom malware like Ymalr and PoisonIvy RAT, and leverages open-source tools like Gh0st RAT and PlugX.

CISA has identified other adversaries attacking the transportation sector. Here are the identified APTs from Russia, Iran, North Korea and South Korea.

APT28; Russia, operational since 2007; AKC mapping.

• Known activities: Reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. Cyber-espionage operations targeting military, government, political organizations, and the hospitality sector.
• Mode of operation: Spear-phishing campaigns, exploiting vulnerabilities, and leveraging custom malware
• Common TTPs: Zero-day vulnerabilities, credential theft, and malware like X-Agent, Seduploader, and Gamefish

APT29; Russia, operational since 2008; AKC Mapping.

• Known activities: The SolarWinds supply chain attack. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.
• Mode of operation and TTPs: a massive listing.

APT39; Iran, operational since 2014; AKC Mapping.

• Known activities: APT39 has primarily targeted telecommunications, travel, hospitality, and IT sectors, mainly focusing on the Middle East. They aim to gather personal information, which can facilitate Iranian intelligence operations.
• Mode of operation and TTPs: APT39 uses spear-phishing and social engineering to deliver custom malware or gain access to victims' accounts. They have used malware families like SEAWEED, CACHEMONEY, and POWBAT.

DarkHotel; South Korea, operational since 2007; AKC Mapping.

• Known activities: DarkHotel has targeted business travelers, especially executives, staying in luxury hotels, primarily in Asia but also in the United States and other regions. They focus on stealing sensitive business information and intellectual property.
• Mode of operation and TTPs: DarkHotel exploits hotel Wi-Fi networks and delivers spear-phishing emails to target individuals. They use zero-day vulnerabilities, downloaders, and custom malware like KARBA, PIONEER, and NOKKI to infect systems.

Moses Staff; Iran, operational since 2021; AKC mapping.

• Known activities: Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US. Their focus is on cyber espionage and data exfiltration.
• Mode of operation and TTPs: Little is known about their specific TTPs, but they have used spear-phishing emails and malicious Word documents to gain initial access to target networks.

After summarizing the above, I cannot imagine our world without CISA, and their leadership with public and private partnerships. This combined guidance informs and guides any security team to focus precious resources to shore up defenses by exposing attacker's tactics, techniques, and procedures. And that's the first part of a Threat-Informed Defense (TID).

The second part of a TID is employing a common framework, vernacular and knowledgebase. The MITRE ATT&CK Framework is an excellent resource and CISA provides a MITRE ATT&CK Framework tool that identifies the Attack Kill Chain of an APT, or the combination of APTs. Here is an example of APT28 compared with APT29. This is a specific example of how to prioritize your resources for threat hunting and shoring up specific defense postures. Researchers can also model their own simulated attack campaigns.

A Clear and Present Danger

In our previous investigations, we've uncovered government documents revealing the disturbing vulnerability of the aviation sector to cyberthreats. With a vast attack surface and weak cybersecurity measures, adversaries like China are actively targeting this crucial infrastructure. Strengthening our defenses will demand time, resources, and expert guidance, but the urgency of the situation cannot be overstated.

The aviation industry, a linchpin of the global economy and our interconnected society, finds itself in a precarious position. Its reliance on ancient technology and complex systems has rendered it a prime target for cyberattacks. As the threat of Adversarial AI looms on the horizon, the risks are escalating, and organizations with subpar cybersecurity face even greater dangers.

Cyberattacks on the aviation sector are skyrocketing, leaving it vulnerable to severe consequences, including insider threats and perilous ghosting attacks. As government agencies and organizations rush to bolster security measures, some merely point fingers while the race to protect our skies from ever-evolving cyber risks intensifies.

The third part of a Threat-Informed Defense may be the hardest part to achieve in this noisy and often selfish world: Radical collaboration is essential if we are to prevent a chilling and imminent future. It's time for Americans to shift their attention away from the distractions of politicized news and social media and focus on the true danger: securing our critical infrastructure against the silent enemy that has already infiltrated our networks. World War III won't be fought with nuclear weapons or tanks; it will be waged in the digital realm.

The War of Inconvenience has begun. This new battlefield sees cyberattacks exchanged like hostile volleys, as adversaries vie for control.

Next issue: follow a fictional passenger, revealing the hidden risks they face along their journey and how they defend themselves.