United Airlines hacked by same group that breached Anthem and OPM

United Airlines has been breached, and investigators believe the perpetrators to be the same group that hacked US health insurer Anthem and stole personal and employment information of 78.8 million customers and non-customers.

According to Bloomberg, both attacks were mounted around the same time, but United only detected the intrusion in May or early June.

It is still unknown what data the attackers compromised, but it is believed that flight manifests, which contain passenger lists with names and birthdates, were likely stolen, and that company information (mergers, acquisitions information) might have been taken.

This particular hacker group is also believed to have been behind the OPM hack, and investigators and security researchers believe the hackers to be Chinese.

The investigators fear that they work on behalf of China’s intelligence apparatus, helping them to compile a vast database that will help them identify US government, defense and intelligence employees, their movements, health issues, financial situation. This type of information could ultimately be used to either recruit or blackmail them into revealing things they shouldn’t share with anyone.

Bloomberg reporters posit that the United breach was discovered thanks to certain information acquired in the wake of the OPM hack. “The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation,” they noted.

This allowed investigators to compile a list of likely targets, and apparently United Airlines was on it.

The group has been dubbed Black Vine by Symantec researchers, who have recently published a helpful whitepaper on the hackers’ tools, techniques, tactics, and past campaigns.

Black Vine hackers have mounted a number of cyber espionage campaigns, targeting mostly US companies in the aerospace and healthcare industries.


Other victims in the energy, military and defence, finance, agriculture, and technology industries are believed to have been secondary targets.

“Black Vine conducts watering-hole attacks targeting legitimate energy- and aerospace-related websites to compromise the sites’ visitors with custom malware,” the researchers shared.

The malware in question is either a variant of the Sakurel backdoor and malicious downloader, or the Mivast backdoor and information-stealer, and they would get surreptitiously installed on the victims’ computer after they visited the watering hole and triggered an exploit for one of two Internet Explorer zero-day vulnerabilities.

“In most cases, the malware is made to look like a technology-related application,” the researchers found. “Some of the themes used to disguise the malware include Media Center, VPN, and Citrix applications. The C&C server or malware-hosting domain is also themed similarly to the malware’s disguise. For example, in one instance, a Sakurel sample was named MediaCenter.exe. The C&C domain that the malware communicated with used a Citrix theme: citrix.vipreclod.com.

“Black Vine appears to have access to the Elderwood framework, which is used to distribute zero-day exploits among threat groups that specialize in cyberespionage,” they also pointed out, and noted that they believe Black Vine to be an attack group with working relationships with multiple cyberespionage actors.

“The group is well funded, organized, and comprises of at least a few members, some of which may have a past or present association with a China-based IT security organization called Topsec,” they shared.

“It’s troubling to think that this hack is yet another from the infamous Chinese team behind the recent OPM hack. If true, this group has proven itself to be adept at infiltrating both public and private organizations, with great success in both,” commented Carl Herberger, VP of Security Solutions at Radware and former Cybersecurity officer in the US Air Force.

“Security professionals often chide the public sector for not maintaining the security standards of the private sector, but this hack is a clear indicator that the rules of the game have greatly changed and all organizations in today’s market need to stop and reassess the standards at which they operate and the systems they once thought were sufficient, across the board, or we will only continue to read about more and more companies who join this rapidly expanding list of damaging hacks and breaches.”

“By nature, the infrastructure for the aviation industry has a broad spectrum of attack options for hackers with malicious intent; this includes opportunities from airline databases to the plane themselves,” he pointed out.

At this moment, though, United’s primary goal must be to make sure that they manage to boot the attackers out of their networks and systems, as their continuing, secret presence could result in more data theft, but also more disruptive attacks in the future.