The International Civil Aviation Organization (ICAO) was a victim of a large-scale cyberattack back in 2016, security researchers said.

According to ESET, in November of that year, a cyber-intelligence analyst at Lockheed Martin contacted the international organization after finding that cybercriminals took control of two of its servers.

The ICAO had been targeted by a watering hole, or an attack where a cyberattacker uses a website frequented by the intended target with an exploit. The analyst at Lockheed Martin emphasized that this attack could represent a “significant threat to the aviation industry.”

This cyberattack, has been linked to the APT LuckyMouse group, also known as Emissary Panda, APT27 and Bronze Union.

Preliminary analysis of the attack by Secureworks revealed deeper problems. This analysis, as reported by Radio-Canada, indicated that the attack went beyond the incident initially noted on two servers of the organization, and that the attack also affected “the accounts of the mail servers, domain administrator and system administrator”.

In the weeks following the attack, the e-mail account of an ICAO delegate was also compromised by hackers for sending messages, however, the media reports on the attack does not indicate if both incidents are linked.

Some issues with the communication and cooperation within the international organization seem to have led to delays in the thorough analysis of the attack by Secureworks, including the deciphering of an infected mail server, an important step in warning users whose security and data may have been compromised.

Once this server was decrypted, analysts were able to link this attack to an internal account in the organization. However, it is impossible to determine if this account was compromised by the attack.

According to ESET malware researcher Matthieu Faou, LuckyMouse specializes in water hole attacks, “this APT group scans the Web for vulnerable servers. These affected servers may allow it to compromise new victims later.”

The expert said that LuckyMouse uses various tools to reach its victims, who are often targeted in Central Asia and the Middle East. “In addition to using generic tools relatively accessible on the Web, the group has developed tools of its own, including a rootkit. Last year, they stole a digital certificate belonging to a legitimate company, used to sign its rootkit.”

Anthony Philbin, ICAO’s chief of communications, reassured the public following the revelations surrounding this cyberattack. He stated, following the CBC report, “We are not aware of the serious cyber security consequences for the external partners that would have resulted from this incident …”, adding that since the attack, “ICAO has made significant improvements to its cybersecurity framework and approaches to mitigate other incidents.”