Organizations are beginning to change the way they handle the revelation that their IT systems have been attacked. In a rare public admission, LOT, the Polish national airline, readily admitted on June 21, 2015, that 20 flight cancellations and delays were the direct result of an IT attack. Initially, the airline released a statement that the flight problems were caused by an IT systems failure. However, shortly thereafter, it issued a second press release that stated that the cancellations and delays were the direct result of hacks of the ground operations system. The hack prevented the creation of flight plans for planes scheduled to depart Warsaw Chopin Airport. The airline has not shared information on the full nature of the attack.

This raises echoes of what has happened recently at United Airlines. There was an hourlong grounding of all United Airline flights on the morning of June 2. According to TIME, the reason for the delays in this case was stated as “faulty flight information in the airline’s dispatch system,” which was blamed on “automation issues.” There was some speculation on Twitter that attributed the grounding to hacks issuing false and random flight plans. On the morning of July 8, United Airlines suffered another “network connectivity issue” that grounded thousands of flights for nearly two hours.

Then, on July 29, 2015, Bloomberg Business published additional information on alleged hacking tied to United Airlines. Bloomberg Business reported that the airline “detected an incursion into its computer systems in May or early June.” United declined to comment on whether there was a potential breach, but the article stated that the stolen data allegedly included flight manifests. It also cited an unidentified source who stated that there is no evidence that the July 8 flight delays were caused as a result of hacks, but the sources wouldn’t “rule out a possible, tangential connection” to the June 2 event.

Finding Answers to Hacks

These events may or may not be related — there just isn’t enough information being shared to make that determination. The outward appearance is that the problems these airlines had were not related: They occurred weeks apart in different parts of the world across different systems — but that may not be the case. What is known is that LOT announced that its problem was the result of an outside actor and not just a simple system failure. Regarding the United Airlines incidents, people continue to speculate on what caused the system malfunctions and whether United actually was hacked.

While we don’t know exactly what caused these incidents, we can assert that threat intelligence and information sharing can greatly improve awareness and aid in hardening defenses against emerging threats. To efficiently defend against security threats, organizations require visibility into the origins, variations and methods of attack. They must also be aware of their own vulnerabilities. Through investigation and information sharing, a determination could be made on whether incidents such as this are isolated or related, and whether other airlines could take steps to prevent them.

Attackers Share — Defenders Should Too

Cyberattacks are becoming more dynamic, more complex and more malicious. Additionally, cybercriminals are sharing information about targets and vulnerabilities, and they are soliciting advice from others in their nefarious communities. Reducing risk in this environment requires that security professionals have comprehensive threat intelligence. Some of the most critical information will need to be provided by other security specialists. In short, security analysts need to collaborate to stop the bad guys.

One tool that organizations can utilize to augment their internal threat research is the IBM X-Force Exchange. X-Force Exchange is an open, cloud-based threat intelligence sharing platform. IT security professionals that participate have access to the 700 TB of data that X-Force has amassed from the analysis of more than 15 billion security events, billions of Web pages, millions of spam and phishing attacks and a malware threat intelligence network of 270 million endpoints.

The content includes malware information and IP reputation (e.g., malware hosts, spam sources, botnet command-and-control servers), URL reputation, Web application categorization such as information on threats originating from specific software, exploits and vulnerability tracking. As a cloud platform, the data is continuously updated with the latest intelligence. Users can collect reports that they can then export into their own incident response, forensics investigation or analytics platform using the Exchange’s social-based user interface or the application programming interface (API).

To be successful, IT security must reduce the attack surface area, have visibility into threats and reduce reaction time. These activities can be enhanced with greater threat intelligence, which is expanded in scope by the sharing of information across industries and organizations. By pooling vulnerability and threat data, IT security professionals vastly improve their ability to detect, divert and avoid threats.

In the future, organizations throughout the airline industry may be able to avoid hacker-created travel delays if they increase their collaboration on threats, attack methods and system vulnerabilities. IBM X-Force Exchange is a new platform to share threat intelligence, and as more entities join the Exchange, its vault of intelligence will increase, helping prepare organizations for the next potential incident.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…