The most recent sector to fall prey to ransomware and other cyber attacks is aviation. At least two prominent organizations (Embraer and Dassault Falcon Jet) were struck by ransomware, resulting in the loss of capital, labor efficiency, and potentially operational secrets. Additionally, a startling report from NCC and Fox-IT detailed a campaign by a Chinese hacking group that was stealing airline passenger travel information. The standard recommendations for hardening your environment against ransomware apply and can be found later in this article.
Technical Detail & Additional Information
WHAT IS THE THREAT?
In the last month at least, three different aviation companies have been compromised, putting both intellectual property and the personal information of passengers at risk. Two of the organizations in the manufacturing sector, Embraer and Dassault Falcon Jet, have reported suffering from ransomware attacks. Additionally, a report was released by NCC and its subsidiary Fox-IT detailing the theft of airline passenger information for an undisclosed number of organizations. While there is no direct connection between these compromises, it represents a growing threat landscape in the aviation sector. Advanced threat actors are targeting these organizations to steal critical intellectual property, and even more troubling, track the locations of potentially high-value targets as they travel.
WHY IS IT NOTEWORTHY?
These compromises represent yet another industry being ravaged by the increasing threat of cyber-attacks, ransomware in particular. BitDefender’s Mid-Year Threat Landscape report from 2020 reported a staggering 715% increase in ransomware attacks1. The aviation industry is merely the latest to feel the effects. Dassault Falcon Jet and Embraer may not be household names, but they are among the largest players in the aviation sector. Both organizations have delivered over 10,000 airplanes worldwide to date. Additionally, Dassault Falcon Jet designs and builds aircraft for military and space systems, in addition to commercial aircraft. Both companies are multi-billion-dollar organizations, and their compromise can potentially represent the loss of valuable trade secrets. In the case of the theft of airline passenger information, it represents a startling new tactic of threat actors potentially tracking high profile targets across the globe.
WHAT IS THE EXPOSURE OR RISK?
In the case of the ransomware attacks on Dassault Falcon Jet and Embraer, many facets of the organization are affected. Most obviously, data can be lost or stolen, including potentially valuable trade secrets, customer information, contract information, and much more. Less obviously, day-to-day business function can see a severe degradation. If there is a significant portion of employees working from home, like many organizations nowadays, many employees can be completely incapable of performing their daily job duties. In the case of the airline passenger data theft, this represents a slightly more Orwellian threat. Threat actors could potentially coordinate their actions based on the location of a particular high value target. This may not even be restricted to cyber-attacks. If the travel itinerary of a target is known, they or their possessions may be in physical danger as well.
WHAT ARE THE RECOMMENDATIONS?
The basic recommendations to prevent similar attacks against your organizations will be the same as any ransomware prevention:
- Ensure employees are trained to identify potentially malicious emails, which are the most likely vector of ransomware infections.
- Audit user permissions in your environment to ensure that if there is a compromise, the fewest amount of user accounts are endangered with excess permissions.
- Ensure the devices on your network are updated with the latest security patches, and you have endpoint protection with an up-to-date list of threats.
- Implement a password policy forcing complex passwords of over 8 characters, potentially including capital letters, numbers, or symbols.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.