By 
SITA cyberattack that affected many airlines all over the world was arranged by a Chinese threat actor who was tracked as APT41. The victim airlines include Jeju Air in South Korea, Singapore Airlines, Air India, Malaysia Airlines, Air New Zealand, and Finland’s Finnair. SITA has stretched its services to over 1000 airports and 2,500 customers.
Air India, one of the affected airlines has mentioned that 4,500,000 data globally have been impacted by the attack. The data that has been compromised consists of passport information, names, additional data, dates of birth, and passport information.
According to the investigation by Group-IB, SITASERVER4 was named the first system in Air India that had coordinated with the infrastructure by attackers. SITASERVER4 led Cobalt Strike implant for over 60 days.
The attackers made use of credentials and compromised on at least 20 devices of Air India. The attackers stole the data from the network. The Group IB added that the cyberattack on Air India went on for 2 months and 26 days and attackers took almost 24 hours and 5 minutes to leak Cobalt Strike beacons and spread it to the rest of the devices in the affected airline’s network.
The security researchers believe that the Chinese state-sponsored threat, APT41 was active and running since 2007 and it is responsible for the cyberattack. The group is known for attacking Indian organizations from time to time and it is also tracked as BARIUM, WICKED SPIDER (PANDA), and Winnti Umbrella.
