Believed to be operating in the interests of the Chinese state, the group's activities were first described in a report [PDF] and Black Hat presentation [PDF] from CyCraft in 2020.
The initial report mentioned a series of coordinated attacks against the Taiwanese superconductor industry.
But in a new report published last week by NCC Group and its subsidiary Fox-IT, the two companies said the group's intrusions are broader than initially thought, having also targeted the airline industry.
"NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," the two companies said.
These attacks targeted semiconductor and airline companies in different geographical areas, and not just Asia, NCC and Fox-IT said.
In the case of some victims, the hackers stayed hidden inside networks for up to three years before being discovered.
Hackers scraped user data from the RAM of flight booking servers
While the attacks orchestrated against the semiconductor industry were aimed towards the theft of intellectual property (IP), the attacks against the airline industry were focused instead on something else.
"The goal of targeting some victims appears to be to obtain Passenger Name Records (PNR)," the two companies said.
"How this PNR data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve PNR data from memory of systems where such data is typically processed, such as flight booking servers."
A typical Chimera attack
The joint NCC and Fox-IT report also describes the Chimera group's typical modus operandi, which usually begins with collecting user login credentials that leaked in the public domain after data breaches at other companies.
This data is used for credential stuffing or password spraying attacks against a target's employee services, such as email accounts. Once in, the Chimera operators search for login details for corporate systems, such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt Strike, a penetration-testing framework used for "adversary emulation," which they use to move laterally to as many systems as possible, searching for IP and passenger details.
The two security firms said the hackers were patient and thorough and would search until they found ways to traverse across segmented networks to reach systems of interest.
Once they found and collected the data they were after; this information was regularly uploaded to public cloud services like OneDrive, Dropbox, or Google Drive, knowing that traffic to these services wouldn't be inspected or blocked inside breached networks.
Tracking targets of interest
While the NCC and Fox-IT report didn't speculate why the hackers targeted the airline industry and why they stole passenger data, this is pretty obvious.
In fact, it is very common for state-sponsored hacking groups to target airline companies, hotel chains, and telcos to obtain data they could use to track the movements and communications of persons of interest.