Years ago there was a commit to the Linux kernal that strangly had no author. This got some attention of several of the developers.
Looking into the code that had to deal with network transmission. there was a section that if you tried to get network access in a unusual way had a check that was written something like this.
If (usr_permission = ROOT) … Instead of If (usr_permission == ROOT) …
The first giving the user root if invoked and the second checking to see if the user was root.
It’s widely thought this was the NSA or some other intelligence agency trying to backdoor lin Linux.
If you are trying to steel credentials from people with power and money passengers in first class are a good target.
Where else are you going to find a cluster of people like that that are using the wifi and are going to be there for hours. It’s about as optimal as I can think of.
Even better if you are targeting a spefic company. Just pick flights out of the headquarters for that company.
If you want to attack say Microsoft pick a flight from Seattle to DC. Pretty good odds of a Microsoft high up being on the flight and wanting to use the wifi for work.
It was clearly an attack. By who is unknown.
Notably this was in 2003 before git (2005) so linux source was in a central bitkeeper repo. So a commit with no associated data about who did it should not have been possible.
Here is a more detailed article. https://lwn.net/Articles/57135/