It is for the most part unreasonable to kick a man when he is down. But some situations call for it, and that is certainly the case with AirAsia.
Yes, it just got victimised by ransomware. But it nonetheless needs to be called out—nay, punished—for (a) the seemingly cavalier way it handled the alleged attack and (b) its purportedly subpar security to begin with.
For those still unaware, AirAsia was recently hit by ransomware, with the personal records of an estimated five million passengers and employees allegedly compromised by the breach. Daixin Team, a notorious hacker group, had claimed responsibility for the attack, which is said to have occurred on the 11th and 12th of November but was reported by AirAsia only on the 20th of November.
AirAsia representatives supposedly got in touch with the Daixin Team and asked for proof of the hack in what presumably was an initial attempt at negotiating with the hacking group. The Daixin Team responded in kind, furnishing the airline with two .csv files listing sensitive information, like the full names and IDs of passengers (from the first file) and pictures, nationalities, date of birth and date hired of AirAsia employees (from the second file).
Upon receipt of said .csv files, AirAsia reportedly stopped communicating with the Daixin Team, very likely an indication that it did not intend to pay ransom after all. Whether that was the plan all along or a sharp U-Turn is yet to be determined. Both possibilities, though, are plausible, including the latter in which AirAsia might have thought of paying ransom at first but took an about-face later on.
“It’s important to know that, under normal circumstances, such claims are impossible to verify without buying the actual stolen data. Paying the thieves is not only controversial and unethical but may also be illegal in some countries,” noted Victor Chebyshev, Lead Security Researcher at Kaspersky GReAT. “We do not do that and recommend others to no explore this avenue. Yet, it leaves us in the dark regarding how real such claims are. The best way is to wait for the results of a thorough investigation from the attacked organisation.”
AirAsia’s abrupt silence might be its undoing, as the Daixin Team has vowed to publish on its dedicated leak site not only the data it has exfiltrated but also the backdoors it exploited—for free. This is most certainly bad news for those whose data will be exposed to nefarious actors.
“Once this data ends up in untrustworthy hands, fraudsters might launch various types of attacks from spam calls to voice phishing. Privacy risks are another major concern,” added Chebyshev. “For a cybercriminal, having a potential victim’s phone number significantly increases the opportunity of a successful attack, since most online services require entering a phone number along with other personal data: name, email address, and sometimes card details. Doxing, cyberbullying, blackmailing and extortion are among potential cyber threats victims might face.”
That is unfortunate, to say the least. But, on the bright side, the infamous hacking group has vowed to never again attack AirAsia because the airline, evidently, is not worth the trouble. In fact, if reports are true, the Daixin Team got annoyed at AirAsia’s flimsy network security—or perhaps the complete lack of it.
“The poor organisation on AirAsia Group’s network spared the company further attacks,” boasted a Daixin spokesperson. “The chaotic organisation of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack. The group refused to pick through the garbage for a long time. As our pentester said, ‘Let the newcomers sort this trash, they have a lot of time.’”
Added the spokesperson: “The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator ‘built his shed next to the old building.’ At the same time, the network protection was very, very weak.”
That the Daixin Team will no longer be a repeat offender is no cause for celebration. Neither is it a reason to rest easy. On the contrary, this whole incident should sound the alarm and open eyes to what might be an unfortunate reality: That Malaysia’s biggest airline, at least in terms of fleet size and destination, might have the biggest flaws in cybersecurity—it’s a catch-22 situation notwithstanding.
“In this particular case, AirAsia like many other organisations that are hit by a ransomware attack faced a no-win situation. The options on the table were to either ignore the ransom demand and rebuild and restore compromised systems from backups and pray that the threat actor doesn’t leak or sell the organisation’s sensitive data, or pay the ransom to obtain the decryption key from the attackers,” noted Eric Nagel, General Manager at Cybereason, APAC. “AirAsia chose the former which is in line with Cybereason’s view that it does not pay to pay. So, this is a courageous stance by AirAsia. But the fundamental issue still remains.”
That fundamental issue is the gaping chasm in AirAsia’s security posture. And now, it has been exposed.
“Hackers and cybercriminals are not the biggest problems in cybersecurity today. It is actually the gap found between cybersecurity, IT and business entities within an organisation—as is the case with AirAsia and mentioned by the Daixin group itself,” Nagel further pointed out. “The control deficiencies operated by multiple stakeholders (IT, OT, DevOps, Shadow IT), within a complex business environment, have provided opportunities for threat actors to compromise data or create disruptions for business-critical operations.”
The proverbial rot is now in the wood, and it is up to AirAsia to take ownership of this mess—for its sake and for that of its passengers and staff. Put simply, the airline needs to fix its security flaws, and it needs to do so at the soonest possible opportunity.
It might be that AirAsia is working on those gaps right about now but are these efforts even enough? Will the company actually address these flaws adequately given how that might prove daunting?
“AirAsia will still need to deal with the fallout of leaked customer and staff data. A review of their technology stack and cyber capabilities and upskilled human capital is the only way to significantly improve their security posture,” said Nagel. “Otherwise, we will be seeing them in the news again. The cost of these hits is far greater than the cost of efficient and effective cyber solutions readily available in the market.”
This is where the “kicking a man while he’s down” analogy comes into play. AirAsia is reeling from a ransomware attack and its reputation has been smeared. Some compassion is warranted, sure, but it does not mean the airline should be treated with kid gloves. The government and stakeholders need to come down hard on AirAsia and sanction it to the full extent of the law. Next, it needs to make sure the airline is doing its part—now and every day from this point forward.
That is the best course of action. That is the only way.