According to CPR analysts, the data breach arose from a complex scheme involving:

    • Malware planted in the supply chain (hotel systems): In the first step, hotels in the supply chain were infected with malware. The tactic was to book accommodation via the travel agency, and then to send a malicious file via a messaging system, with the aim of infecting their networks.
    • Insider collaborations: Threat actors in the breach left evidence they had been looking to sign “malicious partnerships” with people with insider access to the travel agency. The actual attack vector or scheme was undisclosed.
    • Purpose-built phishing kits: Special kits specifically targeting were being given away to the Russian cybercrime community before the actual network breach attempt.
    • Fake host accounts: Evidence shows a cybercriminal had been searching on the Dark Web for a developer to create a software that creates fake host accounts and lists fake properties on the targeted travel agency.
Evidence of Dark Web advertisements mass-recruiting malicious actors for the cyberattack