[BreachExchange] ICAO victim of a major cyberattack in 2016

Destry Winant destry at riskbasedsecurity.com
Mon Mar 4 09:18:44 EST 2019


The International Civil Aviation Organization (ICAO) was a victim of a
large-scale cyberattack back in 2016. Indeed, in November of that
year, a cyber-intelligence analyst at Lockheed Martin contacted the
international organization after finding that cybercriminals took
control of two of its servers.

The ICAO had been targeted by a watering hole, or an attack where a
cyberattacker uses a website frequented by the intended target with an
exploit. The analyst at Lockheed Martin emphasized that this attack
could represent a “significant threat to the aviation industry.”

This cyberattack, has been linked to the APT LuckyMouse group, also
known as Emissary Panda, APT27 and Bronze Union.

Following on from speaking to Lockheed Martin, the ICAO mandated an
external analyst to evaluate the attack. Preliminary analysis by
Secureworks revealed deeper problems. This analysis, as reported by
Radio-Canada (article in French), indicated that the attack went
beyond the incident initially noted on two servers of the
organization, and that the attack also affected “the accounts of the
mail servers, domain administrator and system administrator”.

In the weeks following the attack, the e-mail account of an ICAO
delegate was also compromised by hackers for sending messages,
however, the media reports on the attack does not indicate if both
incidents are linked.

Some issues with the communication and cooperation within the
international organization seem to have led to delays in the thorough
analysis of the attack by Secureworks, including the deciphering of an
infected mail server, an important step in warning users whose
security and data may have been compromised.

Once this server was decrypted, analysts were able to link this attack
to an internal account in the organization. However, it is impossible
to determine if this account was compromised by the attack.


According to ESET malware researcher Matthieu Faou, LuckyMouse
specializes in water hole attacks, “this APT group scans the Web for
vulnerable servers. These affected servers may allow it to compromise
new victims later.”

The expert adds that LuckyMouse uses various tools to reach its
victims, who are often targeted in Central Asia and the Middle East.
“In addition to using generic tools relatively accessible on the Web,
the group has developed tools of its own, including a rootkit. Last
year, they stole a digital certificate belonging to a legitimate
company, used to sign its rootkit.”

According to José Fernandez, cybersecurity expert and professor at
Polytechnique Montréal, “ICAO is a natural choice”, for the purpose of
cyber-espionage, a type of campaign with which LuckyMouse is often
associated. “The agency thus becoming a one-stop shop for the hacking
of all other players in the aerospace industry.”

Anthony Philbin, ICAO’s chief of communications, reassured the public
following the revelations surrounding this cyberattack. He stated,
following the CBC report, “We are not aware of the serious cyber
security consequences for the external partners that would have
resulted from this incident …”, adding that since the attack, “ICAO
has made significant improvements to its cybersecurity framework and
approaches to mitigate other incidents.”

In any case, this incident underlines the importance of a quick and
coordinated response when an organization faces a cyberattack.
Developing a cybersecurity incident response plan must now be at the
heart of any organization’s overall security planning. This is
especially true for large targets, but it is an exercise that any
business should undergo.

More information about the BreachExchange mailing list