EXCLUSIVE: Chinese Hackers Sold Delta Air Lines Vulnerabilities on Black Market

Computer systems of Delta Air Lines Inc. have suffered a “glitch” that is causing flight delays on the airline globally. While the cause of the delays is still unclear, a group of cybercriminals was recently selling vulnerabilities of major airlines on the black market.

On Jan. 3, cybercriminals on a darknet black market run by Chinese state hackers published an advertisement for information and vulnerabilities in a long list of major airlines that included Delta Air Lines, United Airlines, Japan Airlines, FedEx, and others.

The advertisement was under the “Air Attacks Infrastructure” category, under the premium section of the online black market run by hackers who call themselves “Babylon APT.” The darknet is a large section of the internet accessible only by using specialized software, and while it has many benign uses, it is also home to several black markets.

The screenshot of the post was provided to Epoch Times several weeks ago by darknet researcher Ed Alexander, who runs the world’s largest known team of darknet cybercrime undercover investigators.

Alexander confirmed that the full list of airlines included Delta Airlines, but he noted this doesn’t necessarily mean the current outage is tied to the vulnerability posted for sale by the cybercriminals. “That is not to say that Babylon is not a part of it, but they certainly had some level of access,” he said. 

The Babylon APT marketplace is run by Chinese military hackers who use it to resell information and access to critical networks after finishing contract cyberattacks under the Chinese regime. The hackers also offer mercenary cyberattacks on critical infrastructure, businesses, or personal networks. Their clients include foreign governments and organized gangs of cybercriminals.

According to Alexander, it’s not uncommon to see cybercriminals selling access to airline systems on black marketplaces. He said, “Airline systems are so antiquated that they’re pretty easy to get into.”

Common targets in airline breaches are personal information, credit card information, and mass information on airline systems. He also said some cybercriminals have interest in manipulating airline rewards miles for financial gain.

He pointed to darknet posts by a cybercriminal in early 2015 that advertised the sale of “a package of 30 vulnerabilities in different organizations, most of them banks and some airlines.” The individual posted the advertisements on the now defunct “Hell,” “Evolution,” and “Nucleus” black markets on the darknet. An archived copy of the advertisement states, “The vulnerability gives access to the organization’s databases, where you can explore/go deep if you wish to.”

Alexander also pointed to chat logs and video evidence he previously provided to Epoch Times on a cybercriminal who calls himself “Detox Ransome,” known for holding systems belonging to cybersecurity company Bitdefender for ransom in July 2015, and who hacked a service connected to the Democratic National Committee called Rogue Global Solutions in September 2015.

The chat logs include a part where Detox Ransome says he breached a major airline and hotel chain, and tells an undercover darknet investigator that he planned to sell the information to jihadis.