A group of China-linked hackers that has mowed through the databanks of major American health insurers and stolen personnel records of U.S. military and intelligence agencies has struck at the heart of the nation’s air-travel system, say people familiar with investigations of the attacks.
Sabre Corp., which processes reservations for hundreds of airlines and thousands of hotels, confirmed that its systems were breached recently, while American Airlines Group Inc., the world’s biggest carrier, said it is investigating whether hackers had entered its computers.
Both companies were hacked as part of the same wave of attacks that targeted insurer Anthem Inc. and the U.S. government’s personnel office, according to three people with knowledge of the cybersecurity probes. The investigators have tied those incursions to the same China-backed hackers, an assessment shared by U.S. officials, the people said.
The latest incidents, which haven’t previously been reported, are the broadest yet on the U.S. travel industry, emerging a week after security experts attributed an attack on United Airlines, the world’s second-largest carrier, to the same group.
The plundered information would add to a trove already believed to include personal and employment details from background checks on millions of government employees and contractors, as well as medical histories. A foreign government could use the data to build profiles of U.S. officials and contractors, establishing information that could be used to blackmail them into providing intelligence. A government could also track the travel of U.S. officials and workers to detect military or intelligence operations, or compare their movements with those of its own citizens.
A Billion Actions
Sabre, one of the largest clearinghouses for travel reservations, is a potentially rich target for state-sponsored hacks because of the company’s role as a central repository of what it says are records on more than a billion travelers per year across the globe.
American is investigating whether hackers moved from Sabre’s systems into its own computers, two of the people familiar with the examination said. The carrier shares some network infrastructure with Sabre, a onetime subsidiary that it spun off as a separate company in 2000. American and Sabre began contracting with outside experts to conduct the probe within the last month, said the people with knowledge of the inquiry.
The American and Sabre incidents are consistent with the hacks of the U.S. Office of Personnel Management, the people familiar with the probe said. American was provided with Internet Protocol addresses used by the OPM hackers, which matched activity found in the carrier’s computer logs, one person said.
American spokesman Casey Norton said the Fort Worth, Texas-based airline is looking into the possibility that hackers entered its systems but hasn’t confirmed an intrusion. “Based on our deep and extensive investigations with the help of outside cybersecurity experts, American has found no evidence that our systems or network have experienced a breach like those at OPM or Anthem,” he said.
“We are working closely with our partners to further investigate,” Norton said, adding that the company takes cyber threats seriously and goes “above and beyond any notification requirements.”
Sabre said it had “recently learned of a cybersecurity incident” and was investigating but couldn’t say what data may have been stolen or who it believed was responsible.
“We are not aware that this incident has compromised sensitive protected information, such as credit card data or personally identifiable information, but our investigation is ongoing,” Sabre said in a statement.
The OPM link, if confirmed, would add two more big names to a ballooning list of victims. In the case of United, the hackers plundered its databanks for several months based on the compiled data of the malware found in the airline’s system, according to a person familiar with the matter.
Before the disclosures about United, American and Sabre, cybersecurity firm FireEye Inc. said the same China-tied group responsible for the OPM breach had hit about 10 victims since 2013.
“They’re doing this in large numbers -- that’s why they’re so successful,” said Tony Lawrence, chief executive officer of VOR Technology, a Columbia, Maryland-based cybersecurity firm that works with U.S. defense agencies.
‘Bullies of Cyberspace’
“The Chinese are what I would call the bullies of cyberspace: Everybody knows what they’re doing, but nobody can stop them,” Lawrence said. “These state actors, their job is to gather intelligence on other nations.”
Zhu Haiquan, a spokesman for the Chinese embassy in Washington, called any accusation of his country’s involvement in hacking “unfounded” and “counterproductive.” He said: “The Chinese government and the personnel in its institutions never engage in any form of cyberattack. We firmly oppose and combat all forms of cyberattacks.”
The fingerprints that hackers leave behind often don’t line up exactly from breach to breach, as attackers customize tools and techniques to a target’s network. Enough of the indicators lined up in the American and Sabre breaches to lead to the conclusion that the attacks were the work of the same group that struck OPM, Anthem and United, the people familiar with those incidents said.
The incursion on Sabre, of Southlake, Texas, risks exposing data that could link millions of flight records to hotel bookings and car rentals. That follows years of repeated attacks on the systems of contractors working with the U.S. Transportation Command, which coordinates logistics such as the delivery of weaponry for the U.S. military.
A report last year from the Senate Armed Services Committee documented at least 50 successful hacks of the command’s contractors from June 2012 through May 2013.
The hacking crew’s biggest quarry so far may have been the theft from OPM of data from background checks on potentially every person reviewed by the government personnel office for the past 15 years.
The stolen personnel records on 22 million people include hundreds of pages of files on job applicants, exposing mental-health conditions, sexual histories and other information on people in the government and private sector.
Director of National Intelligence James Clapper in June called China “the leading suspect.”
Another big jackpot for the hackers has been the break-in at Anthem, the second-biggest U.S. health insurer by market value. Among the data stolen were Social Security numbers and other information on more than 80 million customers.
The main goal of that attack, according to one of the people familiar with the matter, appeared to be a previously unreported effort to access the network of National Government Services, an Anthem subsidiary that processes health-care claims for U.S. government workers, including the Defense Department’s Defense Health Agency.
Jill Becher, a spokeswoman for Anthem, said the company has no evidence that there was any attempt to access the National Government Services network or that the subsidiary was the focus of a cyberattack.
The latest attacks show that companies need stronger protection for customer data, said Brendan Conlon, who worked in computer network operations with the National Security Agency, including at its hacking unit.
“It doesn’t take a tremendous amount of resources to conduct these sorts of operations,” said Conlon, who’s now CEO of cybersecurity firm Vahna Inc. “You’re talking five or six people tops, less than $1 million in development for the tools themselves per operation. It’s definitely an asymmetric kind of thing. There needs to be a drive to increase the costs for the adversary.”