top of page
Jose

SpiceJet Ransomware Attack - Passengers stranded

Updated: Jun 4, 2022




Who is SpiceJet?


SpiceJet is an Indian budget airline operating 100 + flights daily, flying to 18 cities. According to Business Standard “As of March 31, 2019, the Company maintained a fleet size of 76 aircraft's with which it operated approximately 460 flights per day covering 53 domestic and 9 international destinations.” CEO Ajay Sign has stated that “…only 2% or 3% of India’s population is flying” (India’s population sits at 1.38 billion in 2020). SpiceJet targets low to middle class in their population, which is the hardworking middle class. However, there are higher class of flyers boarding SpiceJet flights because of the SpiceJet’s large fleet (second largest airline in India).


The Target?


SpiceJet was target by a ransomware attack, but what does that mean exactly? A ransomware attack targets computer systems, encrypts files and demands a ransom to decrypt the files (so they are usable again). What systems were targeted by this attack? It is still unclear, based on my research it does not seem like SpiceJet is going to disclose that information to the public. The CyberWire stats "Although SpiceJet Airline was able to contain the recent ransomware attack, the airline is still suffering from flight delays, unavailable booking systems, and no way for customers to contact customer service.” This leads me to believe that the attack targeted their booking system. A spokesman of SpiceJet commented “Certain SpiceJet systems faced an attempted ransomware attack last night that has impacted our flight operations. While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays.”


The headlines state “SpiceJet Ransomware attack”, however, I would think this was some type of DDoS attack of SpiceJet’s internal systems. Bill Toulas of the BleepingComputer found “confirmed at the time of writing that only the homepage of SpiceJet was working, while most underlying systems and webpages failed to load.” If the systems were restored but the access was still restricted, this means the attack is preventing folks from accessing the resources. Maybe this was a combination of both ransomware and DDoS attack. All this is speculation because SpiceJet is clearly downplaying the impact of this attack. SpiceJet stated after a few hours of the attack that “Our IT team has contained and rectified the situation and flights are operating normally now”. SpiceJet needed to then retract that statement by stating “While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays.” The statement was only retracted because thousands of folks stranded and delayed took to Twitter reporting systems were still down. SpiceJet is trying to move on as quickly as possible.


What are the consequences?


The ransomware attack they are dealing with now is the second major attack of their systems. In January 2020, SpiceJet Confirmed a data breach incident, Business Standard sourced TechCrunch “a security researcher, who described their actions as 'ethical hacking', gained access to one of the airline's systems by brute-forcing an easily-guessable password.” According to Business Standard “The database backup file on the system was unencrypted, allowing access to private information of more than 1.2 million passengers last month.”


SpiceJet is now developing a reputation for weak security posture. Which means SpiceJet will have reduced customer confidence (your data is now vulnerable if you have flown with SpiceJet) and is now a low hanging fruit for cyber criminals. It’s safe to assume that all these attack methods have been communicated within the hacker communities. SpiceJet needs to investigate how to improve their security posture and reduce its attack surface immediately.


My Take -


I am truly surprised how often these attacks cause large consequences and these large organizations attempt to sweep the problem under the rug. SpiceJet is facing the second attack (they are fortunate the first attack was done in ethical purposes) and it doesn’t seem they took a serious look into their security posture from the first compromise of their database. We have not heard exactly what systems were compromised nor who SpiceJet suspects the attack came from, which leads me to believe that forensics is still underway (I hope). It could also mean that a year from now we still have not gotten information regarding this attack. The lack of information distributed by SpiceJet is concerning because they are not being transparent with the public, which means its safe to assume they are hiding the impact. How should SpiceJet move forward? An overhaul of their security program, Threat Modeling against each system, first targeting externally accessible system mainly protecting against DDoS and defending against attacks compromising Integrity. SpiceJet should also invest in splitting the IT team and the Cyber Security team. IT teams should be operations, Cyber Security teams should be focused on security governance.




References


Laura Dobberstein, (May 26 2022) Ransomware grounds some flights at Indian budget airline SpiceJet

Accessed: May 28th, 2022

Business Standard SpiceJet LTD. (SPICEJET) – Company Information

Accessed: May 28th, 2022

The CyberWire Staff (May 26th, 2022) Cheerscrypt described. Twitter settles with FTC over data privacy. Update on SpiceJet's ransomware incident

Accessed: May28th, 2022


48 views0 comments

Recent Posts

See All

Commentaires


bottom of page