The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time -- United Airlines.
United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists -- including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.
The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests -- which include information on flights’ passengers, origins and destinations -- according to one person familiar with the carrier’s investigation.
It’s increasingly clear, security experts say, that China’s intelligence apparatus is amassing a vast database. Files stolen from the federal personnel office by this one China-based group could allow the hackers to identify Americans who work in defense and intelligence, including those on the payrolls of contractors. U.S. officials believe the group has links to the Chinese government, people familiar with the matter have said.
That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances. In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, says security firm FireEye Inc.
The theft of airline records potentially offers another layer of information that would allow China to chart the travel patterns of specific government or military officials.
United is one of the biggest contractors with the U.S. government among the airlines, making it a rich depository of data on the travel of American officials, military personnel and contractors. The hackers could match international flights by Chinese officials or industrialists with trips taken by U.S. personnel to the same cities at the same time, said James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington.
“You’re suspicious of some guy; you happen to notice that he flew to Papua New Guinea on June 23 and now you can see that the Americans have flown there on June 22 or 23,” Lewis said. “If you’re China, you’re looking for those things that will give you a better picture of what the other side is up to.”
The timing of the United breach also raises questions about whether it’s linked to computer faults that stranded thousands of the airline’s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others asked not to be identified when discussing the investigation, say the carrier has found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn’t rule out a possible, tangential connection to an outage on June 2.
Luke Punzenberger, a spokesman for Chicago-based United, a unit of United Continental Holdings Inc., declined to comment on the breach investigation.
Zhu Haiquan, a spokesman for the Chinese embassy in Washington, said in a statement: “The Chinese government and the personnel in its institutions never engage in any form of cyberattack. We firmly oppose and combat any forms of cyberattacks.”
United may have gotten help identifying the breach from U.S. investigators working on the OPM hack. The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation.
In May, the OPM investigators began drawing up a list of possible victims in the private sector and provided the companies with digital signatures that would indicate their systems had been breached. United Airlines was on that list.
In contrast to the theft of health records or financial data, the breach of airlines raises concerns of schedule disruptions or transportation gridlock. Mistakes by hackers or defenders could bring down sensitive systems that control the movement of millions of passengers annually in the U.S. and internationally.
Even if their main goal was data theft, state-sponsored hackers might seek to preserve access to airline computers for later use in more disruptive attacks, according to security experts. One of the chief tasks of the investigators in the United breach is ensuring that the hackers have no hidden backdoors that could be used to re-enter the carrier’s computer systems later, one of the people familiar with the probe said.
United spokesman Punzenberger said the company remains “vigilant in protecting against unauthorized access” and is focused on protecting its customers’ personal information.
There is evidence the hackers were in the carrier’s network for months. One web domain apparently set up for the attack -- UNITED-AIRLINES.NET -- was established in April 2014. The domain was registered by a James Rhodes, who provided an address in American Samoa.
James Rhodes is also the alias of the character War Machine in Marvel Comics’ Iron Man. Security companies tracking the OPM hackers say they often use Marvel comic book references as a way to “sign” their attack.
This isn’t the first time such an attack has been documented. Chinese military hackers have repeatedly targeted the U.S. Transportation Command, the Pentagon agency that coordinates defense logistics and travel.
A report last year from the Senate Armed Services Committee documented at least 50 successful hacks of the command’s contractors from June 2012 through May 2013. Hacks against the agency’s contractors have led to the theft of flight plans, shipping routes and other data from organizations working with the military, according to the report.
“The Chinese have been trying to get flight information from the government; now it looks as if they’re trying to do the same in the commercial sector,” said Tony Lawrence, a former Army sergeant and founder and chief executive officer of VOR Technology, a Columbia, Maryland-based cybersecurity firm.
It’s unclear whether United is considering notifying customers that data may have been compromised. Punzenberger said United “would abide by notification requirements if a situation warranted” it.
The airline is still trying to determine exactly which data was removed from the network, said two of the people familiar with the probe. That assessment took months in the OPM case, which was discovered in April and made public in June.
Besides passenger lists and other flight-related data, the hackers may also have taken information related to United’s mergers and acquisitions strategy, one of the people familiar with the investigation said.
Flight manifests usually contain the names and birthdates of passengers, but even if those files were taken, experts say that would be unlikely to trigger disclosure requirements in any of the 47 states with breach-notification laws.
Those disclosure laws are widely seen as outdated. The theft by hackers of corporate secrets usually goes unreported, while the stealing of customer records such as Social Security numbers and credit cards is required in most states.
“In most states, this is not going to trigger a notification,” said Srini Subramanian, state government leader for Deloitte cyber risk services.