VietNamNet Bridge - Soon after receiving a malware sample provided by Noi Bai International Airport, the victim of the cyberattack on July 29, CMC Infosec found it had the execution name ‘diskperf.exe’.

At 4 pm on July 29, 2016, the official website of Vietnam Airlines was hijacked and visitors were redirected to a foreign website which contained false information. Data of many loyal clients were stolen.

Vietnam Airlines and VNCERT (Vietnam Computer Emergency Response Team) belonging to the Ministry of Information and Communication (MIC) then asked for help from Viettel, FPT, CMC and VNPT to deal with the incident, which affected more than 100 flights.

According to CMC Infosec, the name of the malware in CMC’s data was Troijan.Win32.Dropper.Encrypt.K.

When infected with the malware, computers see an image displayed on main screens, and many data files are encrypted and cannot be not restored without the key held by hackers.

CMC Infosec has updated the identification of diskperf.exe in the data base of all CMC anti-virus (free version) CMC Internet Security, and CISE versions (for businesses). 

CMC Infosec has updated the identification of diskperf.exe in the data base of all CMC anti-virus (free version) CMC Internet Security, and CISE versions (for businesses).

Businesses and users can download the latest version of the products from www.cmcinfosec.com, or contact 0932 206 446 for further support.

VnExpress quoted its sources as reporting that it was an intentional attack, which was considered thoroughly for a long time before the attack date.

According to VNISA (Vietnam Information Security Association), there are signs showing that hackers intruded into the system in mid-2014. 

However, the malware used in the July 29 attack was the new one specifically for the attack. It went through normal security check tools, including anti-virus software.

VNISA said the traces left on the scene were not enough to say who the attackers were. 

However, they had knowledge about the information system at the airports, both information structure and equipment operation. They also had the intention of controlling and completely disabling the system’s data.

Security experts have discovered that the back door had been exploited for a long time up until the attack was deployed.

According to Pham Hong Phuc, an independent expert, when attacking Vietnam Airlines’ website, hackers shared three links to the files containing customer data. The account there was created on July 25, 2016, or four days before the attack.

Therefore, the expert believes that the information about 400,000 members of Vietnam Airlines’ Golden Lotus Program might have been exploited four days before the attack.

Meanwhile, Nguyen Hai Tung, CIO of Vietnam Airlines, said Vietnam Airlines’ partners discovered abnormal signs on July 28 and issued warnings.


Kim Chi