State-sponsored Threat Actors Steal Airline Data Using the Slack API

Reports show that a recently found backdoor dubbed ‘Aclip’ that exploits the Slack API for covert communications is being used by an alleged Iranian state-sponsored cybercriminal.

The malicious actor began operating in 2019 by stealing airline reservations information from an unidentified Asian airline.

As per a report by IBM Security X-Force, the hacker is probably ITG17, also dubbed ‘MuddyWater’, which is a very active cybercrime organization.

Yesterday, my colleague Dora wrote about the recent discovery of a new espionage hacking effort targeting Middle Eastern and Asian telecommunications and IT service companies. The operation has been running for six months, and it may have connections to the same Iranian-backed actor, also known as MERCURY SeedWorm, or TEMP.Zagros.

What Is Slack?

According to Wikipedia, Slack is a proprietary business communication platform developed by American technology firm Slack Technologies and now owned by Salesforce.

Slack has several IRC-style functionalities, such as persistent chat rooms (channels) organized by topic, private groups, and direct messaging.

This kind of abuse has been used by other malicious actors before, so it’s not a new tactic. Slack isn’t the only genuine chat app that has been hacked to send data and commands privately.

In this instance, the Aclip

Read More: