View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 21, 2022

Daixin Team claims AirAsia ransomware attack with five million customer records leaked

The airline may have been hit by an attack from a notorious gang which is has come under scrutiny from the FBI in recent months.

By Ryan Morrison

AirAsia has apparently fallen victim to a major ransomware attack by the Daixin Team gang that has seen more than five million records, alleged to be from customers and staff, exposed online.

Hackers claim to have stolen five million records from AirAsia including personal details of both staff and passengers (Photo: Semachkovsky/Shutterstock)
Hackers claim to have stolen five million records from AirAsia including personal details of both staff and passengers. (Photo: Semachkovsky/Shutterstock)

AirAsia is the largest airline in Malaysia, it has some 22,000 employees from 60 nationalities and is based out of Kuala Lumpur where it operates both domestically and to more than 165 destinations worldwide.

Details of AirAsia ransomware attack revealed

The attack was first reported on Twitter by security researchers Soufiane Tahiri, who shared screenshots taken from a listing on the website of Daixin Team on the dark web. The claim has not been verified or confirmed by AirAsia. Tech Monitor has approached the company for comment.

The attack is said to have happened on the 11 and 12 November, and the Daixin Team has shared two spreadsheets showing what appears to be personal information from passengers and staff of the airline, including date of birth, country of birth, where that person is from, when employed for employees and the “secret question and answer” used to secure accounts.

The group says it shared a sample of the data with AirAsia after encrypting its database and demanding an undisclosed fee to unlock it and explain how it was able to get into the network.

Daixin Team said it has avoided locking up critical files related to flying equipment as part of its avoidance of encrypting or destroying anything that could be life-threatening, but did completely lock out access to staff and passenger records until payment is made.

A spokesperson for the ransomware gang told DataBreaches that they would typically have locked more of the network and gathered more data but the AirAsia data infrastructure was “chaotic” and would require too much time to sift through.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

“The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak,” they said.

Daixin Team could launch future attacks

As well as leaking the passenger and employee data on its dark web website, Daixin says it plans to publish details on the AirAsia network including backdoors that would allow other hackers to access the network. It made this decision after it became clear AirAsia wasn’t planning to pay the ransom.

Providing access to and details of flaws in the network on open hacker forums would potentially leave it open for more malicious groups who may not leave flight hardware untouched. The spokesperson added that the group claimed full responsibility for any future negative consequences caused from their actions.

Daixin Team was the subject of a joint Cybersecurity Advisory notice by the FBI and CISA in the US, saying it has been actively targeting US businesses in the past few months including in the health and public care sectors.

According to the CISA “The Daixin Team has deployed ransomware to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services, and intranet services, and exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.”

They gain access through a VPN and exploit unpatched vulnerabilities to take a hold of the network and then move laterally via Secure Shell and Remote Desktop Protocol through the network.

Read more: Ransomware explained – here’s what you need to know

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU