Air Canada responds to BianLian ransom attack claims


Air Canada responds to Wednesday’s claims by the BianLian ransomware group that it was responsible for a September breach of the airline – and to have stolen more than 200 GB of data from the carrier on its dark leak site.

Labeled as one of the most dangerous ransom gangs of 2022, BianLian posted a detailed account of how they went about the attack on its official dark leak site early Wednesday, chiding the airline for telling "half-truths" about the attack.

Air Canada first announced internal systems had been breached in a public statement on its website September 20th.

In a Cybernews update, an Air Canada spokesperson told our team late Wednesday evening that the airline will not “comment on any claims made by an anonymous group based on cybercrime” other than its original statement on the incident.

“BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts,” Air Canada said.

“We trust that media will consider this and report on issues such as this responsibly,” the spokesperson concluded to Cybernews.

At the time of the attack, the airline had stated only a small amount of data had been compromised, “related to limited personal information of some employees and certain records.

Air Canada breach
Air Canada official statement on cyberattack, September 20, 2023.

But BianLian tells quite a different story, claiming it was able to exfiltrate at least 210 GB of data from the airline including:

  • Technical and operational data from 2008 through 2023.
  • Information on technical and security issues of the company.
  • SQL backups.
  • Employee personal data.
  • Information on vendors and suppliers.
  • Confidential documents.
  • Archives from company databases.

The group also posted the personal emails and mobile phone numbers to the airline president Michael Rousseau and Chief Information Officer Mel Crocker.

BianLian Air Canada hack
BianLian dark leak site

It's not clear if Air Canada was aware of how much data had been compromised in the attack, as the Montreal-based airline originally stated the hackers had only “briefly obtained limited access” to its systems.

On its leak site, BianLian described the details of the attack, calling out Air Canada for “only telling half-truths” in its September breach disclosure statement.

“Employee personal data is only a small fraction of the valuable data over which they have lost control. For example, we have SQL databases with company technical and security issues,” it said.

The group also claims to have gone easy on the airline, purposefully choosing not to cause any damage to infrastructure or internal resources during its attack.

“You can check it out for yourself, a demo package with screenshots is available below. Backups with this data are available on our website and at your request,” the group stated along with a links to more than 90 archive flies.

BianLian Air Canada hack files
BianLian dark leak site

BianLian then felt it necessary to scold Air Canada's handling of the breach, stating that the carrier should have isolated its network for security reasons, as required by breach protocols.

“Air transportation companies must remove all software that could compromise their systems and, ultimately, the people for whom they are responsible. As far as we can tell, this was not done; operations continued,” the gang concluded.

It's not clear if the hackers presented a ransom demand to the airline or if Air Canada had made contact with or paid any money to the group.

Air Canada's disclosure in September stated that no customer data was compromised in the attack, employees whose data had been accessed were notified, and it has since beefed up security protocols with help from outside cybersecurity experts.

BianLian is considered a relatively inexperienced data extortion cybercriminal group that has targeted organizations in multiple US critical infrastructure sectors since June 2022. The gang has also targeted critical sectors in Australia, according to the US Cybersecurity & Infrastructure Security Agency (CISA).

The threat actors of unknown origin typically gain access to victims through the use of valid Remote Desktop Protocol (RDP) credentials, according to a ransomware advisory alert about the gang released by CISA this past spring.

The phrase Bian Lian, or “face-changing” in Chinese, is an ancient performance art known as Chinese Sichuan opera. which uses colorful costumes and masks. It is rarely seen outside the mainland due to protected secrecy law.