The International Civil Aviation Organization (ICAO) was a victim of a large-scale cyberattack back in 2016. Indeed, in November of that year, a cyber-intelligence analyst at Lockheed Martin contacted the international organization after finding that cybercriminals took control of two of its servers.

The ICAO had been targeted by a watering hole attack, where a cyberattacker uses an exploit on a website frequented by the intended target. The analyst at Lockheed Martin emphasized that this attack could represent a "significant threat to the aviation industry."

This cyberattack has been linked to the APT LuckyMouse group, also known as Emissary Panda, APT27, and Bronze Union.

Following on from speaking to Lockheed Martin, the ICAO mandated an external analyst to evaluate the attack. Preliminary analysis by Secureworks revealed deeper problems. This analysis, as reported by Radio-Canada (article in French), indicated that the attack went beyond the incident initially noted on two servers of the organization, and that the attack also affected "the accounts of the mail servers, domain administrator and system administrator".

In the weeks following the attack, the e-mail account of an ICAO delegate was also compromised by hackers for sending messages; however, the media reports on the attack do not indicate if both incidents are linked.

Some issues with the communication and cooperation within the international organization seem to have led to delays in the thorough analysis of the attack by Secureworks, including the deciphering of an infected mail server, an important step in warning users whose security and data may have been compromised.

Once this server was decrypted, analysts were able to link this attack to an internal account in the organization. However, it is impossible to determine if this account was compromised by the attack.

LuckyMouse

According to ESET malware researcher Matthieu Faou, LuckyMouse specializes in watering hole attacks, "this APT group scans the Web for vulnerable servers. These affected servers may allow it to compromise new victims later."

The expert adds that LuckyMouse uses various tools to reach its victims, who often are located in Central Asia and the Middle East. "In addition to using generic tools relatively accessible on the Web, the group has developed tools of its own, including a rootkit. Last year, they stole a digital certificate belonging to a legitimate company, used to sign its rootkit."

According to José Fernandez, cybersecurity expert and professor at Polytechnique Montréal, "ICAO is a natural choice", for the purpose of cyber-espionage, a type of campaign with which LuckyMouse is often associated. "The agency thus becoming a one-stop shop for the hacking of all other players in the aerospace industry."

Anthony Philbin, ICAO's chief of communications, reassured the public following the revelations surrounding this cyberattack. He stated, following the CBC report, "We are not aware of the serious cyber security consequences for the external partners that would have resulted from this incident ...", adding that since the attack, "ICAO has made significant improvements to its cybersecurity framework and approaches to mitigate other incidents."

In any case, this incident underlines the importance of a quick and coordinated response when an organization faces a cyberattack. Developing a cybersecurity incident response plan must now be at the heart of any organization's overall security planning. This is especially true for large targets, but it is an exercise that any business should undergo.