Hacker Sells Access to Pakistani Airlines' Network
Access to Pakistan International Airlines’ network is being offered for sale on the cyber underground, according to threat researchers in Israel.
A team at dark net threat intelligence firm KELA spotted a threat actor touting domain admin access to the airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring.
From their headquarters in Tel Aviv, the team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.
On November 9, a KELA spokesperson told Infosecurity Magazine: "We've been tracking a threat actor that just last week published domain access for sale to Pakistan International Airlines’ network.
"Most of the time we're seeing cyber-criminals purchase these initial accesses to gain an initial foothold into the victim's network, from which they can then perform lateral movement to advance their access privileges and potentially employ ransomware or some other type of attack."
A week after putting access to the airline's network on the black market, the cyber-criminal announced that they were also selling all the databases that exist in the airline's network.
The threat actor published a sample of the allegedly stolen data, which they claim contains "all people information who use Pakistan Airline includ[ing] name, last name, phone number, passport."
"The actor mentions that what he is selling includes around 15 databases all with different amounts of records—some around 500k records and some around 60k–50k records—but that all records stored in their network are included," said KELA.
If the threat actor's claims are genuine, then they have hit the same victim twice, leveraging the network access that they obtained to the airline's network to exfiltrate the company's data.
"What's interesting is that this actor takes two different approaches to try and monetize," said KELA.
KELA's researchers have been tracking the threat actor since July 2020, during which time the actor has offered 38 accesses for sale at a cumulative price of at least $118,700.
"We know he has more accesses that he offers in private," said KELA.