Fraud Management & Cybercrime , Ransomware
Attempted Ransomware Attack Grounds SpiceJet FlightsIndian Airline Says Attack on IT Infrastructure 'Contained'; Threat Actor Unknown
Indian passenger airline SpiceJet says an attempted ransomware attack was made against its IT infrastructure on Tuesday night.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The airline says that the attack was "contained," and it has resumed regular operations. Passengers, however, continued to complain of delays in takeoff until about noon local time.
#ImportantUpdate: Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.— SpiceJet (@flyspicejet) May 25, 2022
SpiceJet did not respond to Information Security Media Group's request for details about the possible threat actors behind the attempted attack, how successful it was, the impact it had on IT systems and the timeline for full resumption of operations.
The low-cost airline's passengers from Ahmedabad, Dharamshala, Delhi, Srinagar and Hyderabad continued to complain of takeoff delays and cancellations well past noon. Many were reportedly left stranded for hours in the airplanes after boarding but were told the flights couldn't get cleared for takeoff due to system issues.
The Ministry of Civil Aviation and the Directorate General of Civil Aviation did not respond to ISMG's request for details on the clearance delay.
But SpiceJet, in response to these concerns, issued an update, saying that "while our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays." It added: "Some flights to airports where there are restrictions on night operations have been cancelled. SpiceJet is in touch with experts and cybercrime authorities on the issue."
Past SpiceJet Attack
SpiceJet has faced cybersecurity issues in the past.
In February 2020, a U.S. security researcher brute-forced a SpiceJet system and gained access to an unencrypted database backup file that contained private information of more than 1.2 million passengers, according to TechCrunch.
The Indian Computer Emergency Response Team, which was alerted to this vulnerability by the researcher, reportedly confirmed the security lapse and passed the alert on to SpiceJet. But the airline reportedly declined to confirm CERT-In's findings.
The aviation sector is routinely targeted by threat actors and groups. In a recent campaign, an Iranian state-sponsored threat group was found abusing free workspaces on the Slack messaging platform to deploy a backdoor in an Asian airline's system (see: Iranian Threat Actor Uses Slack API to Target Asian Airline).
While attribution for the SpiceJet ransomware attack has yet to be determined, Indian organizations have, in the past, been targeted by groups such as REvil and the erstwhile Conti group.
Other ransomware attacks in India include an April attack targeting a government-owned oil company, Oil India Limited. Multiple cybersecurity researchers attributed the attack to either REvil or imposters using the gang's name.
Links to Conti and Hive
On Tuesday, travel and hospitality software-as-a-solution provider RateGain was attacked by ransomware. Two ransomware operators, Conti and Hive, have claimed responsibility for the attack and listed RateGain as a victim on their respective leak sites.
#RateGain also appeared on #HiveLeaks' blog site today...#ransomware #ransomware https://t.co/2nHTF35FMW pic.twitter.com/jwjrtFzSC8— BetterCyber (@_bettercyber_) May 24, 2022
Security researcher Dominic Alvieri says this is a proof of "Conti working closely with Hive ransomware." The "near joint release of RateGain today solidifies the trend [from the] last few weeks with both groups claiming Attica Holdings SA in April," he tweets.
Yelisey Boguslavskiy, head of research at security firm Advanced Intelligence, says that his researchers have witnessed Conti members working for Hive since November 2021. "Conti gave Hive initial access and pen-testers, while Hive provided a locker, negotiations, and blog pages. This was the first successful alliance that Conti built and the beginning of their new work model," Boguslavskiy says in a LinkedIn post.
The SpiceJet attempted ransomware attack could ultimately end up shedding some light on the Conti ransomware group rebrand and the formation of smaller groups or affiliates (see: Conti Ransomware Group Retires Name After Creating Spinoffs).