Throwback Attack: Transportation sector hit by ransomware, airport displays taken offline

Courtesy: CFE Media
Courtesy: CFE Media

Critical infrastructure is constantly under attack by threat actors. This is an all-inclusive term relating to the industries that are vital to the regular functioning of the U.S., including energy, telecommunications, government industries and several others. One of the pieces of critical infrastructure that is a staple in getting from point A to point B is the transportation sector, and that includes the aerospace industry.

In 2018, an airport in Bristol, England, felt this increased risk firsthand when it incurred a ransomware attack that took TVs displaying flight information offline airport-wide, causing confusion as to which flights were taking off from which gate. The airport refused to pay the ransom and manually brought their systems back online. Even though nothing came of this attack, it demonstrates how vulnerable connected devices and systems can be.

Other transportation sector cyberattacks

Bristol isn’t the only airport to have been hit by a cyberattack in the last decade. In 2015, one hack left 1,400 passengers stranded at Polish airline LOT. This was a distributed denial-of-service (DDoS) attack on LOT’s IT systems that resulted in grounded flights because LOT was unable to issue flight plans to outbound planes. Systems were offline for five hours.

In 2016, the San Francisco’s Municipal Transportation Agency (SFMTA) rail system got hit by a ransomware attack that encrypted all SFMTA data. The perpetrators claimed they would unlock the data if the ransom were paid — 100 bitcoin, or $73,000 at the time. While nothing bad happened OT-wise, Muni riders got several free days of rail rides because of the IT breach. Interestingly, the threat actor was hacked by a security researcher, who was able to observe the workings of the cyberattack as it occurred.

More recently in October 2022, cyberattacks forced multiple U.S. airport websites offline, including major ones like LaGuardia and O’Hare. These cyberattacks didn’t impact flights or the airports themselves, but caused a major inconvenience to passengers, according to The Guardian. These attacks are confirmed to have come from Russian hacktivist group Killnet.

Bristol ransomware attack execution and fallout

The entrance point of the Bristol ransomware appears to have been network-connected computers, which allowed threat actors remote access. The adversary encrypted information that caused the Bristol Airport to shut down the displays with flight information.

According to the BBC, James Gore, spokesperson for Bristol Airport, said: “We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.”

Though the threat actor(s) demanded payment to unencrypt the lost data — an undisclosed sum, likely in the form of cryptocurrency — Bristol Airport refused to pay it and took the infected systems offline to restore them manually. Restoring the systems took two days. According to Business Insider, “This was in line with the typical response to a ransomware attack, following the lead of the UK’s NHS as well as the city of Atlanta, where officials worked around ransomware to restore service and avoid rewarding hackers.”

According to ZDNET, “For all Friday, Saturday, and the subsequent night, airport officials have been using paper posters and whiteboards to announce check-in and arrival information for flights going through the airport.” This attack didn’t cause any flight delays or cancellations; however, if the threat actors had been more savvy, they could have caused similar havoc to the LOT airline situation. It’s more than likely this was an attempt to make a quick buck.

The importance of protecting the transportation sector from malware

In the modern age of connectivity, it is absolutely imperative that critical systems — especially those of critical infrastructure— are protected from threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) outlines several tips to protect against ransomware specifically:

  • Exercise strong cyber hygiene: Regularly check your systems for vulnerabilities to limit the attack surface of threat actors.
  • Report suspicious behavior: This can help get a jump on a cyberattack. It’s better to be safe than sorry.
  • Back up critical files: If a ransomware attack occurs and you have file backups, you will be able to restore your systems more swiftly.
  • Patch and update systems: This will ensure your systems are up to date with the latest software and patches.

While it’s impossible to stop all cyberattacks from happening, implementing best practices will reduce your attack surface and help you bounce back from a cyberattack faster.




Keep your finger on the pulse of top industry news