The Montreal-based UN aviation agency concealed for months a hack on its computers and allowed the malware to spread throughout the airline industry, Canada’s public broadcaster reported Wednesday.
The International Civil Aviation Organization (ICAO) was the victim in November 2016 of the “most serious cyberattack in its history,” Radio-Canada said.
Internal documents obtained by the broadcaster revealed a flawed response to the attack — believed to have been launched by a Chinese hacker group — mired in delays, obstruction and negligence, and attempts by staff to hide their incompentence.
American airplane maker and defense contractor Lockheed Martin was the first to raise concerns, alerting the ICAO that its servers had been hijacked to spread malware to government and airline computers.
In an email to the ICAO, the Lockheed Martin cyberintelligence analyst described the attack as “a significant threat to the aviation industry.” It had the characteristics of a “watering hole attack” that targets visitors to a website.
The UN agency, working with 192 member states and industry groups, is responsible for setting international civil aviation standards, including for safety and security.
The ICAO information technology team reached out to a New York-based IT agency affiliated with the UN to analyze the attack, but then rejected its expertise — not bothering to respond to emails for several days or transmitting unusable data.
It would take a fortnight before an analysis revealed that the intrusion was actually an even bigger problem.
Mail server, domain administrator and system administrator accounts were affected, giving hackers access to the passwords of more than 2,000 ICAO users to read, send or delete emails.
Within 30 minutes of the ICAO piracy, at least one member state’s website, Turkey, had been infected.
But the ICAO tech chief continued to downplay its seriousness.
An independent investigation in 2017 would conclude that the malicious software used in the attack had been identified by ICAO antivirus software a year earlier, but that the computers had still not been disinfected.
The ICAO told AFP it was preparing a statement about the revelations.
In Ottawa, Canadian Transportation Minister Marc Garneau called them “worrying” and said he would discuss them with ICAO boss Fang Liu.