{
	"id": "bead736f-727b-4116-8022-7caa4c1642a5",
	"created_at": "2026-04-06T00:13:02.195011Z",
	"updated_at": "2026-04-10T13:12:36.931501Z",
	"deleted_at": null,
	"sha1_hash": "1ce0466f5eb92feefc786eb5dbd087abe4386427",
	"title": "FBI Hacker Dropped Stolen Airbus Data on 9/11",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 263437,
	"plain_text": "FBI Hacker Dropped Stolen Airbus Data on 9/11\r\nPublished: 2023-09-14 · Archived: 2026-04-02 10:34:14 UTC\r\nIn December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had\r\ninfiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for\r\nall 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum\r\nwhere the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive\r\nemployee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S.\r\ndefense contractors.\r\nUSDoD’s avatar used to be the seal of the U.S. Department of Defense. Now it’s a charming kitten.\r\nIn a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly\r\n3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they\r\ngrabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’\r\nsystems.\r\nUSDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was\r\ndefinitely an aircraft theme to the message that accompanied the leak, which concluded with the words,\r\n“Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”\r\nAirbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which\r\ndetermined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a\r\nprevalent and powerful info-stealing trojan called RedLine.\r\nInfo-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly\r\nbundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by\r\ninfo-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication\r\ncookies (these logs also often show up in the malware scanning service VirusTotal).\r\nHudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s\r\nsystem, and found the employee likely infected their machine after downloading pirated and secretly backdoored\r\nsoftware for Microsoft Windows.\r\nHudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years,\r\nand that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute\r\ncyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”\r\nhttps://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/\r\nPage 1 of 3\n\nThe prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin\r\nwith cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the\r\nidentity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the\r\ndifference.\r\nIn addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also\r\nsiphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of\r\ntime without having to resupply one’s password and multi-factor authentication code. By stealing these tokens,\r\nattackers can often reuse them in their own web browser, and bypass any authentication normally required for that\r\naccount.\r\nMicrosoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to\r\nits email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of\r\nunfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing\r\nmalware” on the employee’s system.\r\nIn April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously\r\nrestocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who\r\ndeployed RedLine and other info-stealer malware.\r\nIn March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same\r\ncybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums\r\ndomain name, but the forum has since migrated to a new domain.\r\nUSDoD’s InfraGard sales thread on Breached.\r\nUnsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these\r\nschemes have been gaming the search engines so that their malicious sites impersonating popular software\r\nvendors actually appear before the legitimate vendor’s website. So take special care when downloading software\r\nto ensure that you are in fact getting the program from the original, legitimate source whenever possible.\r\nhttps://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/\r\nPage 2 of 3\n\nAlso, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the\r\ncracked program might do exactly what you expect it to do, but the chances are good that it is also laced with\r\nsomething nasty. And when all of your passwords are stolen and your important accounts have been hijacked or\r\nsold, you will wish you had simply paid for the real thing.\r\nSource: https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/\r\nhttps://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/"
	],
	"report_names": [
		"fbi-hacker-dropped-stolen-airbus-data-on-9-11"
	],
	"threat_actors": [
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "80edca9f-dcd6-491e-92f3-87ad1f575631",
			"created_at": "2023-10-14T02:03:14.694988Z",
			"updated_at": "2026-04-10T02:00:05.021046Z",
			"deleted_at": null,
			"main_name": "NetSec",
			"aliases": [
				"NetSec",
				"Operation Data Breach",
				"ScarFace_TheOne",
				"USDoD"
			],
			"source_name": "ETDA:NetSec",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "82a51997-1402-41c3-86df-6f9e522b2ba8",
			"created_at": "2024-04-27T02:00:03.554045Z",
			"updated_at": "2026-04-10T02:00:03.63698Z",
			"deleted_at": null,
			"main_name": "USDoD",
			"aliases": [],
			"source_name": "MISPGALAXY:USDoD",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434382,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ce0466f5eb92feefc786eb5dbd087abe4386427.pdf",
		"text": "https://archive.orkl.eu/1ce0466f5eb92feefc786eb5dbd087abe4386427.txt",
		"img": "https://archive.orkl.eu/1ce0466f5eb92feefc786eb5dbd087abe4386427.jpg"
	}
}