Delta Air Lines has filed a $500 million lawsuit against CrowdStrike following the severe IT outage that occurred in July 2024. This incident caused the cancellation of approximately 7,000 flights and significant operational disruptions. Delta alleges that a faulty software update from CrowdStrike’s endpoint detection system triggered the meltdown, which affected key Windows systems and led to approximately $380 million in lost revenue and $170 million in recovery costs, according to the Securities and Exchange Commission (SEC).

The airline claims CrowdStrike bypassed Delta’s controls by deploying the update without proper certification, comparing the event to unauthorized hacking.

CrowdStrike argues that Delta is operating with misinformation and seeking to shift blame for their slow recovery after the outage. CrowdStrike ascertains that they are liable for no more than $10 Million. They have sought to settle disputes with Delta earlier in the year but with little success.

This legal battle reflects growing tensions around liability when IT service providers encounter critical system failures. As Delta seeks compensation and accountability, they themselves are being investigated for their slower response time compared to similarly effected transportation industries. The case could have broader implications for both the aviation and cybersecurity industries, especially regarding operational resilience and third-party software management practices.

CrowdStrike Lawsuit – TL:DR

Delta Airlines are pursuing a lawsuit against CrowdStrike for $500 million due to the outages in July. While CrowdStrike insist their liability is a maximum of $10 million . This case has led to both companies being looked at with some scrutiny. It is likely to have implications for both the aviation and cybersecurity industries.

APT29 is a well-known threat in the cybersecurity world. A part of Russia’s Foreign Intelligence Service, it has been known for targeted attacks. Most notably, the SolarWinds breach of 2020. This time, APT29 has breached Microsoft’s codebase through a phishing campaign, using domain names designed to mimic Amazon Web Services (AWS). These attacks seemingly targeted multiple government agencies, enterprises, and even military organizations. This activity appeared previously in Ukraine, with attempts to get similar credentials from government, military, and private sector targets.

This particular campaign started in August. Using the aforementioned false AWS domains, APT29 pretended to advise on how best to achieve Zero Trust architecture and how to integrate AWS and Microsoft services to achieve this. The goal for ATP29 was in the attachments of these emails, which contained configuration files for Remote Desktop. When the attachment is launched, it would trigger an outgoing RDP connection to an APT29 server. This also gave the attacker access to the user’s computer itself.

The campaign was interrupted by Amazon, who seized the copycat domains. CERT-UA suggests organizations affected to keep analysing all outgoing connections to all IP addresses through the end of the month. Some cybersecurity experts recommend blocking RDP files completely from your email gateway, preventing this from occurring at all.

APT29 attacks – TL:DR

Russia-linked hacking group APT29, also known as Cozy Bear, recently launched phishing campaigns impersonating AWS domains to steal Windows credentials via Remote Desktop Protocol (RDP). The attacks targeted government agencies, enterprises, and military organizations, with phishing emails appearing to integrate Amazon and Microsoft services. These campaigns reflect APT29’s evolving tactics as it continues targeting critical sectors using sophisticated social engineering and technical exploits.

Ready to see it in action?