Organizations are beginning to change the way they handle the revelation that their IT systems have been attacked. In a rare public admission, LOT, the Polish national airline, readily admitted on June 21, 2015, that 20 flight cancellations and delays were the direct result of an IT attack. Initially, the airline released a statement that the flight problems were caused by an IT systems failure. However, shortly thereafter, it issued a second press release that stated that the cancellations and delays were the direct result of hacks of the ground operations system. The hack prevented the creation of flight plans for planes scheduled to depart Warsaw Chopin Airport. The airline has not shared information on the full nature of the attack.

This raises echoes of what has happened recently at United Airlines. There was an hourlong grounding of all United Airline flights on the morning of June 2. According to TIME, the reason for the delays in this case was stated as “faulty flight information in the airline’s dispatch system,” which was blamed on “automation issues.” There was some speculation on Twitter that attributed the grounding to hacks issuing false and random flight plans. On the morning of July 8, United Airlines suffered another “network connectivity issue” that grounded thousands of flights for nearly two hours.

Then, on July 29, 2015, Bloomberg Business published additional information on alleged hacking tied to United Airlines. Bloomberg Business reported that the airline “detected an incursion into its computer systems in May or early June.” United declined to comment on whether there was a potential breach, but the article stated that the stolen data allegedly included flight manifests. It also cited an unidentified source who stated that there is no evidence that the July 8 flight delays were caused as a result of hacks, but the sources wouldn’t “rule out a possible, tangential connection” to the June 2 event.

Finding Answers to Hacks

These events may or may not be related — there just isn’t enough information being shared to make that determination. The outward appearance is that the problems these airlines had were not related: They occurred weeks apart in different parts of the world across different systems — but that may not be the case. What is known is that LOT announced that its problem was the result of an outside actor and not just a simple system failure. Regarding the United Airlines incidents, people continue to speculate on what caused the system malfunctions and whether United actually was hacked.

While we don’t know exactly what caused these incidents, we can assert that threat intelligence and information sharing can greatly improve awareness and aid in hardening defenses against emerging threats. To efficiently defend against security threats, organizations require visibility into the origins, variations and methods of attack. They must also be aware of their own vulnerabilities. Through investigation and information sharing, a determination could be made on whether incidents such as this are isolated or related, and whether other airlines could take steps to prevent them.

Attackers Share — Defenders Should Too

Cyberattacks are becoming more dynamic, more complex and more malicious. Additionally, cybercriminals are sharing information about targets and vulnerabilities, and they are soliciting advice from others in their nefarious communities. Reducing risk in this environment requires that security professionals have comprehensive threat intelligence. Some of the most critical information will need to be provided by other security specialists. In short, security analysts need to collaborate to stop the bad guys.

One tool that organizations can utilize to augment their internal threat research is the IBM X-Force Exchange. X-Force Exchange is an open, cloud-based threat intelligence sharing platform. IT security professionals that participate have access to the 700 TB of data that X-Force has amassed from the analysis of more than 15 billion security events, billions of Web pages, millions of spam and phishing attacks and a malware threat intelligence network of 270 million endpoints.

The content includes malware information and IP reputation (e.g., malware hosts, spam sources, botnet command-and-control servers), URL reputation, Web application categorization such as information on threats originating from specific software, exploits and vulnerability tracking. As a cloud platform, the data is continuously updated with the latest intelligence. Users can collect reports that they can then export into their own incident response, forensics investigation or analytics platform using the Exchange’s social-based user interface or the application programming interface (API).

To be successful, IT security must reduce the attack surface area, have visibility into threats and reduce reaction time. These activities can be enhanced with greater threat intelligence, which is expanded in scope by the sharing of information across industries and organizations. By pooling vulnerability and threat data, IT security professionals vastly improve their ability to detect, divert and avoid threats.

In the future, organizations throughout the airline industry may be able to avoid hacker-created travel delays if they increase their collaboration on threats, attack methods and system vulnerabilities. IBM X-Force Exchange is a new platform to share threat intelligence, and as more entities join the Exchange, its vault of intelligence will increase, helping prepare organizations for the next potential incident.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today