By Gregory Hale
Global aircraft producer, Bombardier, fell victim to a cybersecurity breach where an attacker accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application.

Upon learning of the attack, Montreal, Canada-based Bombardier initiated its response protocol and as a part of its investigation, Bombardier brought in cybersecurity and forensic professionals.

It isn’t like Bombardier didn’t have any security, but attackers were able to exploit a vulnerability and then attack. However, Bombardier was able to limit the scope and extent of the incident.


Bombardier did not name the victim application, but this news is coming on the heels of the Accellion FTA issues surfacing this week. Accellion FTA is a web server that companies can use to host and share large files that can’t be sent via email to customers and employees.

Widely Used in ICS
“File Transfer (FTA) solutions, from Accellion and other companies, are widely used in the manufacturing sector,” said Mark Carrigan, chief operating officer at security provider PAS. “They are commonly implemented to transfer information from an OT network to the business network and beyond (as well as for other applications).”

While Accellion suffered the hit this time, other applications are a potential source of an attack, but file transfer applications are not alone.

“All software applications could expose an attack vector,” Carrigan said. FTA is particularly concerning in that it is often times used as a conduit to transfer data from a more secure network such as an OT network to a less secure network such as an IT network.”

Upon learning of the attack, Bombardier notified appropriate authorities, including law enforcement, where required and will continue to work with the authorities as the investigation continues, company officials said.

Initial Determination
Forensic analysis revealed that personal and other confidential information relating to employees, customers and suppliers ended up compromised. Along those lines, 130 employees located in Costa Rica suffered compromise.

In addition, Bombardier said it has been contacting customers and other external stakeholders whose data potentially suffered compromise. Bombardier has locations in 12 countries including its production/engineering sites and its customer support network. It supports a worldwide fleet of 4,900 aircraft in service with a wide variety of multinational corporations, charter and fractional ownership providers, governments and private individuals.

“The ongoing investigation indicates the unauthorized access was limited solely to data stored on specific servers. Manufacturing and customer support operations have not been impacted or interrupted,” the company said. Bombardier can also confirm the company was not specifically targeted — the vulnerability impacted multiple organizations using the application.

In mid-December, a hacking group discovered a Zero Day in the FTA software and began attacking companies worldwide. Attackers took over systems, installed a web shell, and then stole sensitive data.

Stolen Data
Accellion said 300 of its customers were running FTA servers, 100 got attacked, and that data was stolen from around 25.

The attackers then attempted to extort the hacked companies, asking for ransom payments, or they’d make the stolen data public, according to a report from security provider Mandiant.

Starting earlier this month, data from old FTA customers began appearing on a “leak site” hosted on the dark web, where the Clop ransomware gang would usually shame the companies who refused to pay its decryption fees.

Data shared on the site included design documents for various Bombardier airplanes and plane parts, according to reports.

Accellion’s 20-year-old file sharing technology is going to end of life this spring and the company is recommending its users migrate to kiteworks, Accellion’s up to date enterprise content firewall platform.

Mandiant identified UNC2546 as the criminal hacker behind the cyberattacks and data theft involving Accellion’s legacy File Transfer Appliance product. Multiple Accellion FTA customers suffered attacks from UNC2546 and have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Mandiant is tracking the subsequent extortion activity under a separate threat cluster, UNC2582.

Some of the victims of the attacks include Transport for NSW, the leading transport and roads agency in New South Wales, Australia, and grocery and pharmacy chain Kroger to name a few.

Third-Party Exposure
Like the SolarWinds attacks reported in December, vulnerabilities or nefarious code inserted into third-party software is an issue that is not new, but is continuing to grow.

“This is huge. Third-party large-scale software supply chain types of attacks are a major concern for the industrial environment,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “They always have been because asset owners and operators pay companies to manage their industrial environment. So, they have always been exposed to third-party risks and it is just growing. I think the issue is there is a difference between the risk manager and the risk owner. In this case , the risk manager is the vendor because they are writing the software, and controlling access to the products. The customers own the risk. When you see a separation between the risk manager and the risk owner that is when you see strategic and systematic risks like this that expose huge swaths of the industry to these problems.”

While it is easy to react to just this particular FTA attack, when it comes to software, manufacturers should focus on the big picture.

“We recommend you not focus on just FTA applications, but all other software applications on an OT network,” Carrigan said. “This starts with collecting a comprehensive OT inventory – software, hardware, and firmware – discovering vulnerabilities, and implementing a strategy to remediate vulnerabilities that pose the greatest risk. Based upon analysis of hundreds of sites, vulnerabilities are common in the OT network and all of them cannot be eliminated due to compatibly and system reliability constraints. It is important to take a risk-based approach to remediate the vulnerabilities that are the greatest threat to the business.

“A good place to start is once you have the inventory list, review for applications that could potentially be removed that will not affect operations. OT networks have been built out over a long period of time, with many applications added throughout the years. A careful examination often finds applications that were added many years ago that currently have limited, or no use at all. Removing these applications can have a dramatic effect on risk reduction,” Carrigan said.

These kinds of attacks seem to be on the rise, so it just makes sense companies need to remain informed so they can keep enhancing their security profile.

“Companies should realize that while their cybersecurity strategies to prevent infiltration are important, they should assume those strategies will not be effective against a determined, will funded adversary,” Carrigan said. “It is far more likely it is a matter of when, not if, hackers will gain access to their networks. Companies should increase their investments in business resiliency and recovery to minimize the impact of such infiltrations and ensure they can restore their business processes.”