TAG Aviation offers private flights for wealthy customers.Image: watson
TAG Aviation, based at Geneva airport, was the victim of a ransomware attack. The research of watson reveal that Black Basta is behind this attack.
Follow me
TAG Aviation is a well-known name in business and luxury aviation. Based at Geneva airport, the company is active, according to its own indications, on thirteen sites in Europe and Asia and “prides itself on an international service that is unparalleled in the world”.
A glance at the company’s website shows prestigious clients, such as Swedish tennis legend Björn Borg, Alain Delon and Brigitte Bardot.
TAG Aviation can look back on a successful history of more than 50 years. One wonders if Pete Sampras was already flying in the 1970s, given the year the company was born (1971).Screenshot: tagaviation.com
Currently, the company specializing in corporate theft is facing a hacker attack with potentially devastating consequences. On request, it confirms the research carried out by watson.
On May 21, the Intrusion Detection System (IDS) reportedly detected an attempt to gain unauthorized access to the network. Subsequently, some computer systems would have been affected by a ransomware attack, i.e. encryption.
At the same time, officials are trying to put the seriousness of the cyberattack into perspective. The “computer security incident” is limited to “Asia”. Countermeasures were taken immediately and a specialized cybersecurity service was commissioned. This external partner conducted “a forensic investigation into the incident and the data involved”.
Additionally, additional security measures have been taken to protect the network from future attacks, the statement reads.
Another sentence from the emailed statement catches the eye:
“To date, we do not know what type of data was stolen and we have found no evidence of data misuse.”
In fact, unknown cybercriminals have posted several screenshots on the darknet purporting to show passports and other internal or confidential data.
In addition, the criminals confirmed having seized a very large amount of data, several terabytes (TB).
Asked about this, a company spokesperson reaffirmed that TAG Aviation Europe was not concerned.
The case is peculiar in that the cybercriminals behind the hack and alleged data theft did not identify themselves at first.
Who is behind the hack?
However, later, TAG Aviation confirmed the research of watson that the ransomware attack is due to the well-known group Black Basta.
“The Black Basta group is responsible for this, although it is impossible to verify the source or the legitimacy of anything that has been published on the dark web as part of their ransom demands”
TAG Aviation, Press office
Usually, when victims are not ready to give in to blackmail, ransomware gangs post an announcement on their own darknet leak site. They threaten to publish the stolen data in order to increase the pressure on the victims who do not want to pay.
An incomplete post on Black Basta’s leaked darknet site suggested the alleged Russian group was behind the attack. Next door (on the left) is another known victim: the German arms group Rheinmetall AG.Screenshot: watson
In this case, the threat was made by actually naming the victim on a darknet page maintained by supposedly independent third parties. watson renounces for the moment to name this page.
The unknown operators claim they are looking for buyers for the data stolen on the orders of the hackers. They would have nothing to do with the initial act.
In a post late last week on the self-proclaimed data brokers’ darknet site, it reads in rather broken English:
“Hackers recovered more than 1.5 TB [téraoctets] corporate emails and over 5TB of personal data. This is all information about all customers (passports, photos, payment data and history, date of birth, telephone, e-mail, where and with whom they travel). In addition, they have all the data of the personnel department (employer, salary, contracts, benefits, insurance, passports and much more). The hackers got all the company data, they hacked into the company network and downloaded everything in all departments.”
source: darknet/ watson translation
In its statement, TAG Aviation explains that the investigation is still ongoing and that it is working with consultants and law enforcement authorities to minimize the impact of the ransomware attack.
Officials say:
“Of course, we keep our customers informed and work with them to improve their protection as the investigation progresses.”
As a reminder, Black Basta is one of the most dangerous ransomware gangs in the world. Last month, this Russian-speaking group would also have attacked the Swiss industrial group ABB. However, after the announcement of the cyberattack, the silence remained suspicious. The company concerned has been hiding in silence and no corresponding post has appeared on Black Basta’s page on the darknet. This generally suggests that the perpetrator and the victim have come to an agreement in negotiations and that the ransom has been paid.
Translated and adapted by Nicolas Varin
