A threat actor and alleged ransomware operator going by the alias USDoD has leaked data on over 3,000 suppliers of aviation giant Airbus after supposedly penetrating the organisation’s systems using a hacked customer account belonging to Turkish Airlines.
According to Hudson Rock, which was first to identify the emerging incident, USDoD had already gained a measure of notoriety when they took to the underground Breached forum at the end of 2022 to offer a data set allegedly purloined from the FBI’s InfraGard system.
Following the shutdown of Breached by the Feds, USDoD was among a number of users who migrated to BreachedForums. Then, earlier in September, they made two separate posts, one claiming to have joined a new ransomware crew called Ransomed, the other a thread containing the personal information of staffers at 3,200 of Airbus’s suppliers.
This dataset is understood to include names, addresses and contact details, and relates to a great many sensitive organisations, including the likes of Rockwell Collins and Thales. According to Hudson Rock, they also claimed to be targeting Lockheed Martin and Raytheon.
Hudson Rock was able to confirm USDoD’s claims that they accessed Airbus via Turkish Airlines. The initial victim appeared to have tried to download a pirated version of the Microsoft .NET framework, but instead fell victim to the RedLine infostealer, which boosted their credentials, from where they were used to get into Airbus’s systems.
“Credentials obtained from infostealer infections, which have become the primary initial attack vector in recent years, provide threat actors with easy entry points into companies, facilitating data breaches and ransomware attacks,” wrote Hudson Rock’s researchers.
“Infostealer infections as a cyber crime trend surged by an incredible 6,000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organisations and execute cyber attacks, including ransomware, data breaches, account overtakes and corporate espionage,” they said.
The team added that Airbus’s computer emergency response team (CERT) had confirmed to them this was indeed the attack vector.
An Airbus spokesperson said: “Airbus has launched an investigation into a cyber event during which an IT account associated with an Airbus customer has been attacked. This account was used to download business documents dedicated to this customer from an Airbus web portal.
“Immediate remedial and follow-up measures were taken by our security teams to prevent our systems from being compromised,” they added.
“As a major high-tech and industrial player, Airbus is also a target for malicious actors. Airbus takes cyber security seriously and continuously monitors activities on its IT systems, has solid protection tools, skilled cyber experts and associated processes to protect the company by taking immediate and appropriate measures as and when needed.”
Exabeam senior director of international security strategy Samantha Humphries said: “Supply chain attacks are a breed of insider threat that all organisations need to be planning for, as they are often a much easier route for cyber criminals to penetrate or circumnavigate defences. While the devil is in the contractual detail, realistically security leaders must play a part in due diligence discussions around supplier risk, but also implement processes and monitoring to ensure they can detect and respond to supply chain attacks.
“This is ultimately part of the cost of doing business, and should be seen as a business enabler, as well as a key focus from a risk and compliance perspective,” she said.
“Unfortunately, these types of attacks continue to be successful routes of income for adversaries, therefore proper preparation including table top exercises, credential monitoring and breach response planning need to include third- and fourth-party supplier considerations.”