Breach Notification , Governance & Risk Management , Incident & Breach Response
Malaysia Airlines Website Hacked
Lizard Squad Claims Credit for Defacement, Data LeakThe Malaysia Airlines website was hacked early on Jan. 26, and customer data appears to have been leaked online.
See Also: Gartner Market Guide for DFIR Retainer Services
"Hacked by Lizard Squad - Official Cyber Caliphate" read the message - overlaid on a picture of a Malaysia Airlines A380 airplane, and accompanied by an image of a top-hat-wearing lizard - that greeted people who attempted to access the Malaysia Airlines website, underneath the fake error message "404 - Plane Not Found." The browser window added the following message: "ISIS WILL PREVAIL," in apparent reference to terrorist group Islamic State.
Malaysia Airlines has confirmed the breach, which it has ascribed to attackers gaining control of its website's domain name system settings. "Malaysia Airlines confirms that its Domain Name System (DNS) has been compromised where users are re-directed to a hacker website when www.malaysiaairlines.com URL is keyed in," the airline said in a Jan. 26 statement posted to Facebook at 6 a.m. GMT. "At this stage, Malaysia Airlines' Web servers are intact."
The airline's domain name appears to be registered with Web Commerce Communications Limited - a.k.a. Webnic - which has offices in Singapore, Malaysia and China. The registrar didn't immediately respond to a request for comment on the breach.
Some mobile users attempting to access the Malaysia Airlines website reportedly saw instead an "Error 521: Web Server Down" message, which can refer to a connection problem with CloudFlare; that company provides a service for defending sites against distributed denial-of-service attacks. But CloudFlare's service relies on DNS settings, meaning that if attackers altered the airline's DNS settings, then it could have broken the connection with CloudFlare.
The hacking group known as Lizard Squad has claimed credit for the attack, both via the website defacement itself, as well as via its "LizardMafia" Twitter account.
In its statement, Malaysia Airlines claimed that the attack was limited to only changing the DNS settings for its website, and promised that the site would return to normal as the corrected DNS settings slowly propagated worldwide. "The airline has resolved the issue with its service provider and the system is expected to be fully recovered within 22 hours. The matter has also been immediately reported to CyberSecurity Malaysia and the Ministry of Transport," the airline said. "Malaysia Airlines assures customers and clients that its website was not hacked and this temporary glitch does not affect their bookings and that user data remains secured."
Lizard Squad Leaks Data
But Lizard Squad has refuted the airline's claim that the hack attack was limited to just DNS settings. "Are you really that clueless?" the group said via Twitter. "We would like to point out that [Malaysia Airlines] is lying about user data not being compromised." In the hours before the attack, Lizard Squad had also promised via Twitter: "Going to dump some loot found on http://www.malaysiaairlines.com/ servers soon."
Subsequently, the group published an image from the website's secure booking page that showed the itinerary for Malaysian International and Trade Industry Minister Mustapa Mohammad, which showed that he was booked on a Jan. 26 flight. Another passenger, whose travel itinerary was also leaked via a Lizard Squad tweet, confirmed to Malaysian news website Star that the information for his planned travel was correct.
This isn't the first airline-related exploit attributed to the hacking group. In August 2014, Lizard Squad took credit for a Twitter threat against the airplane on which Sony president John Smedley was traveling, causing it to be diverted. Authorities later said the threat had been a hoax.
Hacking DNS
Hacking a website's DNS settings to redirect it to a site of the attacker's choosing is not a new attack technique. Indeed, the Syrian Electronic Army has used the technique numerous times to forcibly redirect those who attempted to access a website. In 2013, for example, the group altered the DNS settings for the websites of Twitter as well as The New York Times. While Twitter was able to quickly regain control of its DNS settings, the Times website remained unreachable for many viewers for more than 48 hours following the attack.
ENISA, the European agency that focuses on improving cybersecurity practices for the 28 EU member states, earlier this month released a report that urged DNS registrars to better lock down the account credentials and lists of authorized users to prevent attackers from seizing control of those accounts and altering DNS settings.
2014 Tragedies
The missing plane mentioned by the website defacement likely refers to two high-profile 2014 incidents of Malaysia Airlines planes either being shot down, or going missing. Malaysia Airlines Flight 370, carrying 239 people, disappeared on March 8, 2014, while en route from Malaysia to Beijing. No trace of the plane has been found, which Malaysian authorities now believe crashed into the southern Indian Ocean.
On July 17, 2014, meanwhile, Malaysia Airlines Flight 17 was shot down over the Ukraine - by a surface-to-air missile, U.S. officials say - killing all 298 people aboard. Industry watchers say the disasters added to already significant financial woes facing the country's state-run airline.
Mark James, a security specialist at anti-virus firm ESET, cautions that the hack attacks against the airline could also be designed to discredit Lizard Squad. But whoever is involved, he criticized their insensitivity for attacking the airline's website in the wake of the 2014 tragedies.
Lizard Squad was in the news recently for its Christmas Day disruption of Sony's PlayStation store and Microsoft's Xbox Live network. The group claimed that those disruptions were meant to advertise its new "Lizard Stresser" DDoS-on-demand service.