Skip to content

Ransomware Actors Target the Aviation Industry

Highlighting the importance of community information sharing, the newest target of ransomware threat actors is the aviation industry, spanning federal agencies, airports, airlines, and commercial aviation services companies. After record-breaking years in 2021 and 2022, ransomware continues to pose a devastating risk to critical infrastructure companies and organizations everywhere.

Read on to learn how cross-sector collaboration helps to counter ransomware actors targeting the aviation industry in 2023 and why hardening industry cybersecurity is essential to prevent future malicious incidents.

Outage Pauses All Domestic Flights

On the morning of January 11th, 2023, the Federal Aviation Administration (FAA) announced an outage of their Notice to Air Missions (NOTAM) system. This outage forced the FAA to pause all domestic flights until mid-morning. In the ensuing hours, speculation of a possible cyber-attack against the FAA grew to the point where US Transportation Secretary Pete Buttigieg stated that the Department of Transportation, which oversees the FAA, was not prepared to rule out a possible cyber-attack. A week later, however, the FAA announced the outage was due to contract personnel accidentally deleting files.

The information about the outage, its causes, and its impacts were shared across public and private partnerships within Hive-IQ. While the outage was not the result of a cyber-attack, it does highlight the risk of cyber-attacks against the American and global aviation industry and the need to prepare for future cyber events. As Gen. Paul Nakasone stated in 2021, “Stopping and protecting against cyberattacks takes private and public partnerships and 90% of the nation’s critical infrastructure is in the private sector.”

Aviation Must Take Cybersecurity Seriously

The American aviation industry manages nearly 45,000 flights, 2.9 million passengers, and around 121 million pounds of freight daily. Any disruption to operations can cause catastrophic damage to flight operations, and cyber-attacks can risk exposing millions of individuals’ personally identifiable information (PII). The need to track cyber threats, collaborate across the entire aviation ecosystem, and prepare defenses for the US aviation industry becomes even more evident when considering cyber actors’ recent focus on the airlines, airports, and aviation services industries.

Newest Target for Threat Actors: The Aviation Industry

In October 2022, the pro-Russian hacktivist group, Killnet, launched a distributed denial of service (DDoS) attack against 49 airports in 25 US states. While the attack did not affect ground and flight operations at these airports, it did push airport websites offline for a few hours. As a result, airport information was inaccessible to the public. The Killnet threat actor and activity were tracked, shared, and discussed across all critical infrastructure sectors in Hive-IQ.

More recently, on March 1st, 2023, Medusa Ransomware targeted and breached Kenya’s Airport Authority (KAA). The ransomware gang subsequently leaked airport reference maps and layouts, terminal information, construction requests, and staff PII, threatening Kenyan flight operations and airport networks. The community collaborated on Medusa observations, Indicators of Compromise (IOCs), and behaviors which can be found here.

A screenshot from the Medusa Blog shows the deadline for KAA to respond to the ransomware group. Image Source:
A screenshot from the Medusa Blog shows the deadline for KAA to respond to the ransomware group. Image Source:

Not just aviation agencies and airports, but multiple commercial aviation services companies were targets of ransomware attacks throughout February and March of 2023. These companies range from command console manufacturers to flight schools and galley insert manufacturing companies. The ransomware actors leaked company documents, contract information, and staff personally identifiable information.

The Aviation Industry Must Be Vigilant

While the above incidents didn’t directly impact the FAA, airlines, airports, or commercial aviation companies’ operations, their second-order effects could open the US aviation industry up to cyber-attacks. These ransomware examples highlight the necessity of cross-sector information sharing and collaboration to get ahead of the threats and proactively support community cyber defense.

The global aviation industry is in the crosshairs of cyber threat actors. The interconnectedness of the airline industry, which leads to its success, is also a path of opportunity for threat actors. Leaked data provides threat actors with detailed information which can be leveraged for more sophisticated cyber-attacks against US aviation. Understanding our weak points, avenues of approach, and this growing trend will ultimately help protect the aviation industry.

Beyond aviation, the industries and sectors which make up our digital ecosystem must work together to combat advancing cyber threats like ransomware. Last week’s release of the 2023 National Cybersecurity Strategy reinforces the call for deep and enduring collaboration between private and public entities to ensure we continually strengthen our cybersecurity posture. Through collaboration, we can communicate and act on threats that endanger networks, organizations, and livelihoods.

Join the discussion and learn more about these incidents on Hive-IQ.


Alex Lothstein
Intelligence Analyst at TeamWorx Security | Website

Alex is an Intelligence Analyst at TeamWorx Security. He has experience in the history/museum world researching, writing, and breaking down large pieces of information on complex topics into understandable bits for a general audience. His experience analyzing the past to better understand the present is a great asset in his intelligence research and writing.

Back To Top