Cyber Incident Victim: International Civil Aviation Organization
Date:
Apr 2014
Location:
Canada
Summary
NullCrew hackers breached the International Civil Aviation Organization, exposing system credentials and logs, including phpMyAdmin, FTP, and SSH data. The attack, part of a broader campaign targeting multiple entities, exploited security vulnerabilities, compromising administrative accounts and internal communications. As a UN agency responsible for aviation standards and biometric passport security, the incident raised concerns about the organization's cybersecurity practices and potential risks to sensitive aviation infrastructure. The hackers claimed motives focused on exposing perceived corruption and inadequate security without accessing consumer data in other breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2014, the hacker group NullCrew executed a coordinated cyberattack campaign targeting nine organizations, including the United Nations' International Civil Aviation Organization (ICAO). The group publicly announced the breaches on Easter Sunday (April 20) via Twitter and documented their activities in a Pastebin publication titled "FTS Zine 5." NullCrew's stated motivation centered on exposing corruption within government-affiliated entities and organizations they deemed problematic. The attacks occurred over several weeks, with evidence suggesting ICAO was compromised by April 20, though some targets like data broker Spokeo may have been breached as early as April 5. Attack methods included SQL injection exploits and credential theft, with NullCrew mocking victims for inadequate security practices such as outdated systems. The group exfiltrated administrative credentials, system logs, and internal communications while explicitly avoiding consumer data at commercial targets like Spokeo.
ICAO suffered significant exposure due to its role in managing global aviation security standards and biometric passport infrastructure. Attackers accessed and leaked phpMyAdmin credentials, FTP logs, SSH logs, and other system information from ICAO networks. This breach raised concerns about the security of sensitive systems including the Public Key Directory used for international traveler verification. Unlike government contractor Klas Telecom – which publicly acknowledged its breach and warned clients – ICAO did not issue any public statements regarding the incident. The attack occurred amid NullCrew's broader campaign against media corporations, educational institutions, and government-linked entities, including prior breaches of Comcast (February) and Al Arabiya (April 3). No evidence indicated consumer data compromise at ICAO, though the exposure of administrative credentials and system metadata created potential vulnerabilities in aviation security infrastructure. The incident highlighted systemic security failures across multiple organizations targeted in NullCrew's spree.