Contact Contact Us

International Aviation Agency Conceals Serious Hack

The International Civil Aviation Organization (ICAO) apparently suffered a large-scale cyberattack in 2016 that affected its web and email servers. The credentials for the domain and system administrator accounts as well as 2,000 ICAO system users were also stolen during the incident. The attack is said to be carried out by a highly adaptable cyber espionage group known as APT27 (aka Emmissary Panda, LuckyMouse and Bronze Union). APT27 is believed to be operating out of China and is prolific in using watering hole techniques to deliver malware. In campaigns observed in 2018, the group deployed upgraded versions of the publicly available ZxShell remote access tool (RAT) and Gh0st RAT. For more complex intrusion scenarios, the group used proprietary RATs such as SysUpdate and HyperBro that can evade traditional signature-based detection. APT27 also leverages on "Living-off-the-Land" techniques to elevate privileges and overcome security controls in the compromised systems. As the group is technically capable, it is expected to evolve its tools and techniques to ensure effectiveness in future campaigns.

[1] ICAO Tried to Hide a Cyberattack in Montreal
[2] A Peek into BRONZE UNION’s Toolbox
[3] State of the [BRONZE] UNION Snapshot

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883