The Rise of Collective Cyber Espionage: Unprecedented Multi-Nation State Hackers Breach Aviation Organization

In a recent alert issued by U.S. security agencies, it has been revealed that multiple nation-state hackers have infiltrated a single aviation organization through vulnerabilities in their internet-facing services. The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Cyber Command’s Cyber National Mission Force have all warned about the ongoing exploitation of vulnerabilities in Zoho and Fortinet services to gain unauthorized access to the networks of this anonymous aviation sector organization.

The hackers gained access to the organization’s network through two main points: Zoho software, commonly used in IT assistance, and a Fortinet virtual private network (VPN) service. The initial batch of state-backed hackers exploited a vulnerability in Zoho ManageEngine ServiceDesk Plus, a software often found in IT management suites. This gave the hackers root level access and allowed them to create an administrative user account. They also used the notorious Mimikatz exploit software to extract more credentials. However, it should be noted that the hackers were unsuccessful in exploiting the infamous Log4Shell vulnerability on Zoho’s ServiceDesk product.

Meanwhile, the second group of hackers used disabled but legitimate credentials to gain access to the FortiOS SSL-VPN service through a contractor employed by the organization. Once inside the network, the hackers deleted logs from various servers, hindering the incident response team’s ability to fully understand the extent of the breach.

The alert highlighted several concerning issues within the targeted aviation organization’s security infrastructure. Firstly, the organization lacked proper network segmentation, which would have limited the lateral movement of the attackers within their network. This allowed the hackers to maneuver freely and potentially escalate their access privileges.

Additionally, the organization had not clearly defined where their data was centrally located, making it difficult for the incident response team to determine the amount of information compromised or altered during the breach. Moreover, the victim organization had limited network sensor coverage, further hindering CISA’s ability to understand the full extent of the cyberattack.

While it remains unclear which nation-state groups were responsible for targeting the aviation organization, this incident is part of a broader trend of attacks against the sector and critical infrastructure organizations. The Transportation Security Agency (TSA) has been prompted to issue cybersecurity mandates for the sector in response to these incidents.

The alert also emphasized the continuing interest of malicious cyber actors in edge network infrastructure, such as firewalls and VPNs. Exploiting these devices provides attackers with opportunities to expand their network access or use them as malicious infrastructure. The fact that these edge devices often have known and unpatched vulnerabilities highlights the urgency for organizations to prioritize and regularly update their security measures.

This incident serves as a reminder of the critical need for organizations to prioritize patch management. Known vulnerabilities pose significant risks, as we have seen in this case, where attackers were able to exploit these weaknesses to gain unauthorized access. Regular updates and patches should be implemented promptly to address any known vulnerabilities and minimize the risk of exploitation.

Furthermore, network segmentation is crucial to prevent lateral movement within the network. By segmenting different areas of the network and implementing proper access controls, organizations can limit the potential impact of a breach and impede hackers from freely navigating through their systems.

The infiltration of a single aviation organization by multiple nation-state hackers emphasizes the growing challenges and sophistication of cyber threats faced by critical infrastructure entities. It is imperative for organizations to remain vigilant, implement robust security measures, and prioritize prompt patch management. Without these proactive efforts, the risks of further breaches and potential disruptions to vital infrastructure remain high. It is a collective responsibility of both public and private sectors to continuously invest in cybersecurity to safeguard the integrity and resilience of our critical infrastructure systems.