Cyber Incident Victim: Tagaviation
Date:
May 2023
Location:
Switzerland
Summary
A Swiss business aviation company experienced a ransomware attack after its intrusion detection system identified an unauthorized network access attempt. The Black Basta group was responsible for the incident, which primarily affected its Asian operations and involved the encryption of IT systems. The attackers exfiltrated several terabytes of data, including passports and internal documents, which were subsequently advertised for sale on a darknet blog by a third party. The firm engaged cybersecurity experts and law enforcement to investigate and has implemented additional security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 21, 2023, the Swiss private jet charter company TAG Aviation experienced a significant cybersecurity incident. The company's Intrusion Detection System (IDS) identified an unauthorized access attempt on its network on that date. This initial breach was followed by a ransomware attack that encrypted some of the organization's IT systems. TAG Aviation, a prominent name in business and luxury aviation based at Geneva Airport, operates from 13 locations across Europe and Asia. The company sought to downplay the severity of the incident, characterizing it as an "IT security incident" and stating that its impact was confined to its Asian operations, explicitly confirming that TAG Aviation Europe was not affected.
In response to the detection, the company immediately initiated countermeasures. TAG Aviation engaged an external cybersecurity partner specializing in digital forensics to investigate the incident and the scope of the affected data. The forensic investigation was tasked with determining the extent of the breach and the nature of the compromised information. Concurrently, the company implemented additional security measures designed to protect its network against potential future attacks. TAG Aviation also stated that it was working with advisors and law enforcement agencies to minimize the impact of the ransomware attack, though the investigation was reported as still ongoing at the time of public disclosure.
The threat actors behind the attack did not initially claim responsibility through conventional channels. Unlike typical ransomware operations that utilize their own dedicated leak sites on the dark web to announce victims and threaten data publication, this group remained unidentified at first. Instead, screenshots purportedly showing stolen data, including passports and other confidential internal documents, were published on a darknet site called the "UnSafe Security Blog." The operators of this site presented themselves as independent data brokers acting on behalf of the original hackers, claiming to be seeking buyers for the stolen information and disavowing any direct involvement in the initial attack. A posting on this blog, written in poor English, claimed the attackers had exfiltrated a very large amount of data, quantified as several terabytes.
Subsequent reporting confirmed that the ransomware attack was attributable to the Black Basta group, a known and highly dangerous ransomware operation. Black Basta is a Russian-speaking cybercriminal group considered one of the most significant global ransomware threats. The group was also allegedly responsible for an attack on the Swiss industrial conglomerate ABB the previous month. The confirmation of Black Basta's involvement provided context for the attack's sophistication and potential severity. The group typically employs a double-extortion model, both encrypting victims' systems and stealing sensitive data, which they then threaten to publish unless a ransom is paid. The publication of data on a third-party site, as seen in the TAG Aviation incident, was a noted deviation from their usual practice of using their own dedicated leak site.
The potential consequences of the incident were significant due to the sensitive nature of the data allegedly exfiltrated. The published screenshots suggested that personally identifiable information, specifically travel documents like passports, was among the compromised data. A breach involving such information carries substantial privacy implications for the affected individuals and could lead to regulatory scrutiny. TAG Aviation's clientele includes high-profile and prominent figures from past and present, though the company did not specify if any customer data was part of the theft. The claim of several terabytes of data being stolen, if accurate, indicated a large-scale data exfiltration event.
The company's public statements consistently emphasized the limited geographical scope of the attack and the immediate actions taken to contain it. Their response strategy focused on forensic investigation, strengthening network defenses, and collaboration with external experts and law enforcement. The full impact of the incident, including the exact scope of the data exfiltrated and the number of individuals affected, remained undetermined as the investigation was still in progress. The involvement of a group like Black Basta suggested a high level of threat and indicated that the attackers likely gained significant access to the company's network before deploying the ransomware and exfiltrating data. The incident highlights the ongoing challenges faced by aviation sector companies in protecting their digital infrastructure from targeted and sophisticated cyber threats.