{"id":27866,"date":"2019-02-27T10:19:29","date_gmt":"2019-02-27T15:19:29","guid":{"rendered":"http:\/\/mileniostadium.com\/?p=27866"},"modified":"2019-02-27T10:19:29","modified_gmt":"2019-02-27T15:19:29","slug":"montreal-based-un-aviation-agency-tried-to-cover-up-2016-cyberattack-documents-show","status":"publish","type":"post","link":"https:\/\/mileniostadium.com\/canada\/montreal-based-un-aviation-agency-tried-to-cover-up-2016-cyberattack-documents-show\/","title":{"rendered":"Montreal-based UN aviation agency tried to cover up 2016 cyberattack, documents show"},"content":{"rendered":"
In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history, and internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled.<\/p>\n
As the United Nations body that sets\u00a0standards for civil aviation around the world, ICAO is the gateway to everyone in the aviation industry, so an uncontained cyberattack left not just ICAO vulnerable, but made sitting ducks of its partners worldwide.<\/p>\n
The documents obtained by CBC suggest the hacker was most likely a member of Emissary Panda, a\u00a0sophisticated and stealthy espionage group\u00a0with ties to the Chinese government.<\/p>\n
At ICAO, investigators found a network full of holes, with security vulnerabilities that should have been flagged years earlier.<\/p>\n
Jos\u00e9 Fernandez, a cybersecurity expert and professor at Polytechnique Montr\u00e9al, said what happened at ICAO is akin to leaving your car unlocked and allowing a criminal to use the vehicle to commit a crime.<\/p>\n
“If a large organization like ICAO leaves its infrastructure unprotected, or not well protected, it is allowing criminals or, in this case, cyberspies to use that infrastructure to spy on other people.”<\/p>\n
The documents show that the breach was discovered by an outside agency, and what should have been a race to contain it was mired in delays, obstruction and negligence. The documents suggest that four members of ICAO’s information and communications technology (ICT) department tried to hide evidence of their own incompetence, and their absentee supervisor allowed that to happen.<\/p>\n
Despite the gravity of the attack, and the\u00a0confusion of the ICT team’s response to it, confidential sources have told CBC that ICAO Secretary General Fang Liu shelved internal recommendations to investigate the four ICT team members\u00a0and their boss, James Wan, ICAO’s deputy director of information management and general administration.<\/p>\n
All five still work at ICAO.<\/p>\n
The documents obtained by CBC, which are assessment reports that include emails and an “information security incidents summary,” show that a cyberintelligence analyst working for an independent agency known as the Aviation Information Sharing and Analysis Center first flagged the cyberattack on Nov. 22, 2016.<\/p>\n
That analyst, Adam Weidmann,\u00a0contacted ICAO’s information security officer, informing that officer that a hacker had control of two of ICAO’s servers and was using them to spread malware to foreign government websites.<\/p>\n
The type of attacker they were dealing with posed “a significant threat to the aviation industry,” Weidmann said.<\/p>\n
Since ICAO’s role is to set standards for civil aviation rather than keep planes in the air, the hacker was not likely scheming to disrupt flights or airlines, said Fernandez.<\/p>\n
But for the purposes of cyberespionage, “ICAO would be a natural choice,” Fernandez said. “They would have been a one-stop shop for hacking everybody else in the aerospace industry.”<\/p>\n
This attack had all the hallmarks of a classic “watering hole” attack, in which hackers find a website that their targets frequent and infect it with malware in order to gain access to those targets.<\/p>\n
Within 30 minutes of the hack on ICAO, at least one of the UN agency’s 192 member states, Turkey, had been compromised.<\/p>\n
It turned out the attackers had set up a chain of watering holes, which included ICAO’s online store for aviation publications, as well as the Turkish treasury board’s website.<\/p>\n
Anyone visiting either site had the potential of becoming infected.<\/p>\n
Alarmed, ICAO’s information security officer gave the ICT team until noon on Nov. 23, the day after the discovery of the hack, to get the infected servers offline, and contacted a UN-affiliated IT agency in New York to tell them what had happened.<\/p>\n
“Timing is of the essence,” said Ali Arasteh, a cybersecurity consultant at FireEye, which investigates attacks of this nature. “You need to line up all of your organizational resources to abruptly remove the attackers from the net.”<\/p>\n
The documents obtained by CBC suggest that wasn’t the case at ICAO. Its ICT team dismissed the expertise of the New York-based UN analysts, handing over data that was not useable and\u00a0late, and in some cases, not bothering to answer emails for days.<\/p>\n
On Dec. 5, ICAO’s information security officer, who was co-ordinating the recovery response with investigators, finally sought and obtained the go-ahead to fly in one of the UN analysts for four days. But even when face to face with the ICT team, the documents show it took three days of repeated requests before the analyst was granted access to the data logs and to the infected servers.<\/p>\n
At first, the ICAO attack was thought to be limited to “one severe incident” on two of the organization’s most sensitive servers. But on Dec. 7, the analyst brought in from New York discovered it was more widespread.<\/p>\n
ICAO’s webmail server, domain administrator and system administrator accounts were all believed to have been compromised, giving the cyberspy access to past and current passwords of more than 2,000 ICAO users, which would allow the spy to read, send or delete the email of any of those users.<\/p>\n
It also meant the hacker could access personnel records of past and current employees, medical records of those who had used ICAO’s\u00a0health clinic, financial transaction records and the personal information of anyone who had visited the ICAO building or registered on an ICAO website.<\/p>\n
Upon the discovery of the more extensive breach, the documents show, ICAO’s information security officer asked that the infected webmail server be decrypted, so that people who may have had their privacy invaded could be identified and advised that their personal information was at risk.<\/p>\n
Wan, the ICT team’s boss, rejected that request outright. However, a couple of days later, one of the ICT team did just that, taking an encrypted file home to try to decrypt it.<\/p>\n
“He ought to have known that through his actions, he recklessly compromised the security of confidential data,” read one of the documents obtained by CBC.<\/p>\n
The same day, the New York-based UN IT analysts were struggling to decrypt the file. They were told by the ICAO ICT team that if they didn’t succeed in doing so by day’s end, they were to delete the file.<\/p>\n
However, the New York team did succeed in decrypting it, and what they found further alarmed them.<\/p>\n
The file tied the superuser account of one of the ICT team members, the systems infrastructure associate, to the attack.<\/p>\n
That could mean that a hacker remotely accessed that superuser account, or it could mean that the superuser himself, the infrastructure associate, was party to the cyberattack: the analysts had no way of knowing which it was.<\/p>\n
Despite the suspicions raised about that superuser, he was given the job of validating the New York analysts’ forensic work. That ICT superuser disputed the analysts’ findings, concluding their detection of malware was a “false positive” \u2014 in other words, that no malware was to be found.<\/p>\n