Throwback Attack: Hack leaves 1,400 passengers of Polish airline LOT stranded

The suply chain is increasingly under threat
Courtesy: Brett Sayles

More than a dozen major U.S. airports were knocked offline this week as they found themselves in the crosshairs of a wide-scale cyberattack. While these attacks impacted public-facing websites at airports ranging from LaGuardia in New York City to Chicago’s O’Hare, they reportedly did not affect air traffic control systems, internal airport communications or any other critical operations. But this strike serves as a warning that no airline or airport is safe from threat actors — and this is far from the first attack on air travel or public transportation. In 2015, a cyberattack hit LOT Polish Airways, grounding aircraft and stranding thousands of passengers at Poland’s busiest airport.

The transportation sector, and specifically aviation, is considered by the Cybersecurity and Infrastructure Security Agency (CISA) as one of the “16 critical infrastructure sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” While most attacks on the aviation industry have historically impacted customer data and privacy, the strike on Poland’s national carrier demonstrated how these attacks can impact physical systems and keep planes out of the air.

The LOT DDoS attack

The attack on LOT occurred back in June 2015 and forced the carrier to cancel around 20 foreign and domestic flights, effectively grounding about 1,400 passengers. The attack temporarily paralyzed LOT’s computer systems at Frederic Chopin Airport in Warsaw, Poland’s capital city, disrupting the processing of passengers for the flight.

According to reports, hackers used a distributed denial-of-service (DDoS) attack on information technology (IT) systems to breach LOT’s ground computers for about five hours. As a result, LOT was unable to issue flight plans for outbound flights from its Warsaw hub, leaving a mass of frustrated passengers stuck in the terminal. DDoS attacks work by flooding computer servers with so many communication requests that it overloads the server and essentially renders them nonfunctional.

According to an article on the incident from CNN, “In the United States, the Federal Aviation Administration requires all aircraft to file a flight plan before takeoff. Domestic flight plan information is used to track the flight of an aircraft for its protection and identification purposes. The information is used by air traffic controllers to make sure all flights in the air are on a safe path.”

While the airline said there wasn’t any real danger to passengers since the attack didn’t affect any of the systems used by aircraft while in the air, Sebastian Mikosz, CEO of LOT, issued a stark warning to the industry in the wake of the event. He questioned whether the systems the world relies on to keep planes in the air and safe are secure from motivated threat actors. A LOT spokesperson said at the time that other airlines use similar software systems and are thus susceptible to similar attacks.

“This is an industry problem on a much wider scale, and for sure we have to give it more attention, if it can be given more attention” he told a news conference, per Reuters. “Because the attention is very high. And this is why I think we managed pretty quickly within a few hours to re-establish the functioning. But, yes, I expect it can happen to anyone anytime.”

Poland’s intelligence agency was enlisted to investigate the incursion, but the attackers are still publicly unknown.

Transportation sector under fire

The transportation sector is certainly no stranger to attacks like the one perpetrated on LOT. Hackers realize transportation systems are a pain point, as they can impact multitudes of people, and are therefore lucrative targets. In just the last few years, cyber criminals have caused issues with San Francisco’s Municipal Transportation Agency, Vancouver’s TransLink public transportation system and many others.

Just this week, another pro-Russian hacking collective took credit for temporarily taking down airport websites across the U.S. The strikes, which impacted the websites for Los Angeles International, Chicago O’Hare and Hartsfield-Jackson International in Atlanta, among others, have been attributed to a group charmingly known as Killnet, Russian “hacktivists” who support the Kremlin but are not directly linked to the government. One of the group’s signatures are DDoS attacks.

“We are pretty clear it’s a Russian cyber group that claimed responsibility,” Sen. Chuck Schumer, D-N.Y., said per ABC News, going on to connect the attacks to the Ukrainian bombing of a bridge in Crimea over the weekend. “We are asking our authorities to confirm who did it and then take the appropriate strong action, so the Russians know they cannot get away with this. Putin has a lot of nerve, after his brutal vicious war against the Ukrainian people, to now say he has the right to retaliate because they protected themselves with a bridge is outrageous.”

The hacking group listed a number of U.S. airports on Telegram, urging other hackers to join in on the DDoS attack and help cause massive disruptions. These attacks were likely prompted by anti-American sentiment in Russia for the U.S.’s support of Ukraine in the ongoing conflict.

These recent cyberattacks were quickly discovered and remediated, but they are a further example of attackers going after critical infrastructure systems that masses of people rely on every day. If and when these attacks expand beyond IT systems into physical systems — which several hackers have claimed is possible — it can have a huge impact on human life and safety. But even when IT is the target, as with the LOT cyberattack, networks are often so intertwined that physical operations are still shut down.

The LOT Polish Airways attack was a warning to airports and airlines across the world, and will most certainly not be the last cyberattack of its kind.




Keep your finger on the pulse of top industry news