Cyber Incident Victim: Thai Airways International
Date:
Apr 2018
Location:
Thailand
Summary
Thai Airways experienced a cyberattack involving the defacement of 23 subdomains by a Pakistani hacker using the alias "Hunter butt," impacting critical systems including SMTP mail servers, DNS nameservers, payment platforms, and booking services. The attacker replaced pages with an animated message featuring a Pakistani flag, raising concerns about potential exposure of sensitive user data stored on breached servers. The airline subsequently restored its website and removed the defaced content.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 23, 2018, Thai Airways experienced a significant cybersecurity breach when a hacker operating under the alias "Hunter butt" compromised the airline’s digital infrastructure. The attacker, who publicly claimed Pakistani affiliation, successfully defaced 23 subdomains associated with Thai Airways’ primary domain. Among the affected systems were critical operational components including the SMTP mail server, DNS nameservers, payment processing platform (epayment.thaiairways.com), booking system (www.book.thaiairways.com), and multiple internal development portals. The hacker replaced legitimate content with a customized defacement page titled "index.html" featuring an animated emoji waving a Pakistani flag alongside textual claims of the breach. Additional compromised subdomains included webmail services (webmail.thaiairways.com), mobile platforms (mobile.thaiairways.com), authentication portals (login.thaiairways.com), and internal communication systems (devtgmail.thaiairways.com), indicating broad penetration across multiple network segments.
The scale of affected systems raised concerns about potential exposure of sensitive data, as breached servers handled functions ranging from customer bookings to payment transactions and internal communications. Forensic analysis of defaced subdomains revealed the hacker systematically targeted infrastructure components including mail servers (smtp.thaiairways.com, imap.thaiairways.com), development environments (devsip.thaiairways.com), and nameservers (ns.thaiairways.com, ns1.thaiairways.com). The attacker documented their activities by archiving both the defacement pages and a comprehensive list of compromised Thai Airways subdomains on Zone-H, a platform historically used to publicize website breaches. Thai Airways’ technical teams responded by removing the malicious index.html files and restoring standard website functionality across all affected subdomains, though the article provides no details regarding root cause analysis or long-term remediation measures. No official statement from Thai Airways regarding data compromise or customer impact was included in the source material at the time of reporting.