Cyber Incident Victim: AirAsia
Date:
Nov 2022
Location:
Malaysia
Summary
AirAsia suffered a ransomware attack by the Daixin Team, compromising over five million passenger and employee records containing sensitive personal information such as names, dates of birth, employment details, and security question answers. The attackers encrypted databases but avoided critical flight systems to prevent life-threatening disruptions, later leaking sample data after the airline refused payment. Daixin Team attributed limited network damage to the victim's poorly configured infrastructure with weak security controls, including unpatched vulnerabilities exploited via VPN, SSH, and RDP access. The group publicly released stolen data and threatened to disclose network backdoors on hacker forums, potentially enabling further attacks by malicious actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 11-12, 2022, the Daixin Team ransomware group targeted AirAsia, Malaysia’s largest airline, compromising passenger and employee data. Security researcher Soufiane Tahiri first identified the breach via dark web posts where Daixin Team listed samples of stolen records. The attackers claimed exfiltration of five million unique passenger records and all employee data, including names, dates of birth, countries of birth, employment dates, and account security questions with answers. Daixin Team encrypted AirAsia’s databases containing this information, demanding an undisclosed ransom for decryption and deletion. The group provided AirAsia with data samples to verify the breach but reported the airline showed no intent to pay after requesting details about data deletion procedures. AirAsia did not publicly confirm the incident or respond to media inquiries from Tech Monitor or DataBreaches.Net.
Daixin Team deliberately avoided encrypting critical aviation systems, specifically mentioning XEN and RHEL hosts used for air traffic control, to prevent life-threatening disruptions. The attackers attributed their limited network traversal to AirAsia’s disorganized infrastructure, describing unauthorized systems as poorly configured with weak security controls. Following AirAsia’s apparent refusal to negotiate, Daixin Team leaked passenger and employee data on its dark web platform and announced plans to publish network vulnerabilities and backdoor access methods on hacker forums. This action risked enabling further exploitation by malicious actors, though Daixin claimed responsibility for any future consequences. The group’s spokesperson noted AirAsia’s VPNs contained unpatched vulnerabilities exploited for initial access, with lateral movement achieved via Secure Shell and Remote Desktop Protocol. The incident occurred amid heightened scrutiny of Daixin Team, which had been linked by the FBI and CISA to healthcare sector attacks in the United States involving theft of sensitive patient data. Malaysia’s aviation sector remained a recurrent target, with Malaysia Airlines experiencing separate breaches in 2020 and 2021.