It sounds like an air traveler’s nightmare: a sophisticated software attack that allows hackers to access internal airport computer systems and manipulate data as if they were authorized employees. Yet that is what happened two weeks ago, according to Boston digital security firm Trusteer, which says it uncovered malware hidden in the private network of a major non-U.S. international airport. The company says the threat could have compromised everything from employees’ personal information to the safety of passengers.
“This was potentially very dangerous, but we don’t know whether the attacker group was targeting the financial system of the airport for economic gain or if the attack was terrorism-related,” says George Tubin, a senior security strategist for Trusteer, which declined to specify the airport that had been targeted, citing security concerns and an ongoing investigation. “They could have been trying to access critical infrastructure—possibly air-traffic control systems and even the air-conditioning ducts on planes. Or they might have been looking at the hiring process, to see if they could get someone in there to work as an employee.”
The airport VPN was immediately disconnected after officials there were made aware of the breach and authorities are investigating, Tubin says. A spokesman for the U.S. Transportation Security Administration, Dave Castelveter, says his agency was made aware of the breach by Bloomberg Businessweek’s inquiries but declined to comment further, citing a policy of not discussing security protocol.
Tubin says the breach was discovered during a routine security sweep of the 30 million PCs protected by Trusteer’s software. The attack used Citadel Trojan malware—which computer users can unknowingly install simply by clicking on a Web link—to read the screens of employees who logged in remotely to the airport’s virtual private network (VPN). It also allowed the cybercriminals to capture the username, password, and one-time passcode of the victims with a form-grabbing technology, according to Trusteer. With the employee’s credentials in hand, the hackers would have unlimited access to the airport computer system’s software to the extent the worker’s account would allow.
Many businesses use VPNs to provide outside workers with access to secure data. Incursions on these networks often involve advanced “Man in the Browser” malware such as the Citadel, Zeus, and SpyEye programs. Infections of this sort can be hard to recognize, and in many cases the hacker can peruse all the victim’s files and communications, without leaving any trace of activity, Tubin says. Historically, MiB programs have been used to acquire financial information from banks and other money-management companies, but in recent years other types of businesses have been targeted.
“We’ve seen this before, although it’s not very frequent,” says Tubin, who views this latest episode as evidence of how the government and private sector have been fighting a losing battle against increasingly sophisticated cybercriminals. “Frankly, it’s way too easy for hackers to get employee credentials and exploit them. For the most part, industry is not doing a very good job protecting against these kinds of threats.”
Trusteer’s announcement came a day after it released a new product designed to protect users of Citrix software programs from malware and other advanced cyberthreats. Tubin says the news of the airport breach and Trusteer’s new product was a “complete coincidence” and that the software’s release date had been planned long before the airport threat emerged.