Cyber Incident Victim: Pakistan International Airlines

On November 10, 2020, dark net threat intelligence firm KELA identified a threat actor advertising domain administrator access to Pakistan International Airlines’ (PIA) network for $4,000 on underground cybercrime forums. The actor promoted this access on two Russian-language forums and one English-language forum, targeting potential buyers seeking unauthorized entry to critical infrastructure. Alongside network access, the actor announced intentions to sell all databases within PIA’s systems, which reportedly contained sensitive personal information including passenger names, contact numbers, and passport details. KELA’s researchers confirmed the actor’s activity spanned multiple platforms frequented by malicious hackers, indicating a coordinated effort to monetize the compromised access. The listing did not specify the exact timeframe of the network breach or the methods used to gain domain admin privileges. No immediate evidence confirmed whether the access was sold or whether data exfiltration occurred beyond the actor’s claims.

KELA had monitored this threat actor since July 2020, documenting their sale of 38 network accesses across various organizations, generating at least $118,700 in illicit revenue. The actor employed a dual monetization strategy: selling initial network access to other criminals and separately auctioning stolen databases extracted from compromised systems. This incident represented a potential repeat attack against PIA, suggesting prior vulnerabilities may not have been fully remediated. The exposure of passport data and contact information posed risks of identity theft, financial fraud, and targeted phishing against PIA customers. KELA’s disclosure provided no information regarding PIA’s internal detection mechanisms, containment measures, or post-incident responses. The researchers did not attribute the attack to any specific group or nation-state actor.