{ "id": "61e5847f-43ed-4cb6-9148-1ad1dd8388cc", "created_at": "2026-04-06T00:06:36.725684Z", "updated_at": "2026-04-10T03:31:13.757131Z", "deleted_at": null, "sha1_hash": "43097c0c14e7ad343b3b88c8eba08fb59d3bf7d7", "title": "Resecurity | The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12663821, "plain_text": "Resecurity | The Aviation and Aerospace Sectors Face Skyrocketing\r\nCyber Threats\r\nPublished: 2024-03-16 · Archived: 2026-04-05 16:59:41 UTC\r\nExecutive Summary\r\nThis Resecurity report highlights recent cyber incidents targeting the aerospace and aviation sectors and\r\nemphasizes the importance of rigorous cybersecurity risk assessments for airports. It’s important to note the\r\ndistinct technical definitions that distinguish the aerospace and aviation industries.\r\nWhile aviation pertains to flying or controlling the aircraft, aerospace refers to the “design, manufacturing, and\r\nmaintenance of aircrafts or spacecrafts and can be thought of as the science of flight within Earth’s atmosphere as\r\nwell as outside it,” according to industrial manufacturer Peli. For the purposes of this report, these terms may\r\noccasionally be used interchangeably.\r\nResecurity’s report will highlight recent malicious cyber-activity targeting the aerospace sector. Resecurity will\r\nalso discuss how cybersecurity risk assessments can help the aerospace sector prevent cyberattacks and outline the\r\ntypes of threat-modeling needed for industry stakeholders to achieve a comprehensive security posture in their\r\norganizations.\r\nAerospace Cyber-Threat Overview\r\nThe aerospace sector has become a rising target for cyberattacks due to its reliance on vastly interconnected digital\r\ninfrastructures, global supply chains, and the torrential volume of sensitive data it handles. More recently, this\r\nattack trend has been amplified by the rapidly growing integration of Industrial Internet of Things (IIoT)\r\ntechnologies, rising geopolitical tensions, and the U.S. governments’ decision to designate aerospace and aviation\r\nas critical infrastructure.\r\nSpeaking on a panel at the 2023 Aviation Week MRO Americas Conference held in Atlanta last April, Boeing\r\nChief Security Officer Richard Puckett noted that \"occurrences of ransomware inside the aviation supply chain”\r\nhad shot up 600% in 2022. This sectoral ransomware trend has persisted since Puckett flagged the threat,\r\nheadlined by LockBit 3.0’s breach of Boeing last November and its alleged compromise of the non-profit\r\nAerospace Corporation this year.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 1 of 26\n\nOverall, ransomware is one of the top threats facing the aviation industry, if not the leading one in some\r\njurisdictions. In 2023, the European Organization for the Safety of Air Navigation (Eurocontrol) reported that\r\nransomware was the sector's leading attack trend in 2022, accounting for 22% of all malicious incidents. At the\r\nAtlanta conference, Puckett also said that industry defenders must “begin to account for the extended ecosystem\r\nof connectivity ... Increasing requests for sensors on almost every working part of the aircraft makes it more\r\nefficient but it also makes it more vulnerable because anything that sends or receives a signal can be hacked.” In\r\nother words, the IIoT-driven expansion of digital connectivity has drastically amplified the attack surface for\r\naerospace organizations at more granular levels of their supply chain.\r\nDiscussing the modern aviation sector’s attack surface, an Aerospace Testing International report published last\r\nyear said it had “grown significantly as remote systems like IoT sensors, actuators, biometric readers, robotics and\r\ncloud applications require web connectivity.” The report also noted that “mobile phones and bring your own\r\ndevice (BYOD) policies add more weaknesses. Important targets for hackers include reservation systems, flight\r\nhistory servers, ticket booking portals, flight management systems and cabin crew devices.”\r\nIn an increasingly fragmented geopolitical landscape reshaped by the war in Ukraine and the eruption of hostilities\r\nin the Middle East, the aerospace sector’s designation as critical infrastructure is also fueling more cyberattacks.\r\nAt last year’s Aviation Week conference, United Airlines Director of cybersecurity Jen Miosi addressed this topic,\r\nsaying that the label “paints a target on airspace’s back for threat actors to want to take advantage of that critical\r\ninfrastructure.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 2 of 26\n\nIncluded in the U.S. Cybersecurity and Infrastructure Security Agency's definition of aviation-related critical\r\ninfrastructure are “aircraft, air traffic control systems, and about 19,700 airports, heliports, and landing strips.”\r\nAdditionally, the aviation category includes “commercial and recreational aircraft (manned and unmanned) and a\r\nwide variety of support services, such as aircraft repair stations, fueling facilities, navigation aids, and flight\r\nschools,” according to CISA.\r\nOverall, the critical infrastructure label has made the aviation sector even more enticing to advanced-persistent\r\nthreat groups and, most notably, hacktivist collectives. Jeffrey Troy, the chief executive of the Aviation\r\nInformation Sharing and Analysis Center (Aviation ISAC), cited the growing hacktivist threat at last year’s\r\nconference, describing these attackers as “people who essentially do some type of cyber activity with the sense of\r\nsupporting a particular political agenda.” “Without a doubt the threat side of this equation is increasing,”\r\nexpounded Troy on hacktivist operations. The outbreak of war in Gaza has further escalated hacktivist activity\r\ntargeting the aviation sector.\r\nMost recently, Resecurity observed apparent Gaza-nexus hacktivist activity in a DDoS attack conducted against\r\nJohn Lennon Airport in Liverpool, UK by a threat-actor group calling themselves the “Anonymous Collective.” A\r\nspokesperson for the airport confirmed to the news site Cyber Express that the March 11 attack caused\r\n\"intermittent disruption” to the organization’s website. In a Telegram post, Anonymous Collective said their DDoS\r\nattack was “in retaliation for [sic] UK supports and helps the evil and terrorist state of israhell while Palestinian\r\nchildren and families are being murdered every single day by the IDF.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 3 of 26\n\nBut in terms of the aviation industry’s most critical threat exposures, panelists who spoke at the Atlanta\r\nconference generally agreed that cyber risks were most prominent in the “supporting ecosystem, rather than the\r\nairframe itself,” according to a panel recap published by the event sponsor. The panelists also agreed that \"risk\r\nprioritization is key,” in addition to ensuring that “suppliers are thinking about cybersecurity,” according to the\r\nreport. However, the Aviation Week recap noted that these risk-management initiatives can be challenging for\r\nsome airlines, as some of their contracts are at least a decade old. As such, these contracts may lack any\r\nmeaningful stipulations for cybersecurity and related controls.\r\nA Civil Aviation Supply Chain cybersecurity Recommendations Report published by the Aerospace Industries\r\nAssociation in October 2023 expounded on threats to the sector’s supply chain in its ‘problem statement’ section.\r\nThe problem statement noted, \"Civil Aviation has an enormously complex and globally connected supply chain.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 4 of 26\n\nThis globally diffuse complexity means that cyberattacks can “impact nearly everything in the supply chain, from\r\nthe data used to build physical structures, to the electronic components – the software and firmware of complex\r\nelectronic hardware (CEH) running in products or powering the servers providing services in addition to the\r\nelectronic hardware itself – as well as the data and production systems used to manufacture non-electronic\r\ncomponents such as structural items.”\r\nAs geopolitical tensions escalate worldwide, the risk of destructive cyberattacks targeting the civil aviation\r\nindustry and the aerospace sector in general has significantly increased. In the next section, Resecurity will detail\r\nrecent notable threat-actor activity targeting the aerospace and aviation sectors.\r\nRecent Cyberattacks Targeting the Aerospace Sector\r\nMysterious Team Bangladesh targets Saudi Arabia Airport website\r\nOn November 19, 2023, a group identifying themselves as \"Mysterious Team Bangladesh\" (MTB) executed a\r\nDistributed Denial of Service (DDoS) attack on several key Saudi Arabian airports. The affected airports included\r\nKing Abdulaziz International Airport (KAIA), King Fahd International Airport (KFIA), Prince Naif bin Abdulaziz\r\nInternational Airport, and Prince Mohammad bin Abdulaziz International Airport.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 5 of 26\n\nOn November 19, 2023, a group identifying themselves as \"Mysterious Team Bangladesh\" (MTB) executed a\r\nDistributed Denial of Service (DDoS) attack on several key Saudi Arabian airports. The affected airports included\r\nKing Abdulaziz International Airport (KAIA), King Fahd International Airport (KFIA), Prince Naif bin Abdulaziz\r\nInternational Airport, and Prince Mohammad bin Abdulaziz International Airport.\r\nKing Abdulaziz International Airport (KAIA)\r\nWebsite: https://www.kaia.sa/\r\nCheck-host.net Report: https://check-host.net/check-report/13561ad5k437\r\nKing Fahd International Airport (KFIA)\r\nWebsite: https://kfia.gov.sa/\r\nCheck-host.net Report: https://check-host.net/check-report/13561c2dk206\r\nPrince Naif bin Abdulaziz International Airport\r\nWebsite: https://www.matarat.com.sa/\r\nCheck-host.net Report: https://check-host.net/check-report/13561ddbk34e\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 6 of 26\n\nPrince Mohammad bin Abdulaziz International Airport\r\nWebsite: https://www.tibahairports.com/\r\nCheck-host.net Report: https://check-host.net/check-report/135621c0kb15\r\nThe message concluded with a cryptic \"Expect us..\" and included the hashtags #MTB and #SavePalestine.\r\nAs of now, the identity and motivations of MTB remain unclear. MTB’s use of the #SavePalestine hashtag\r\nsuggests potential ideological or political motivations related to the Gaza conflict. However, getting to the root\r\ncause of this hacktivist posturing requires deeper investigation to discern the true intent behind the attack and any\r\npotential connections to broader geopolitical issues.\r\nCyberattack against Air Albania\r\nAir Albania, the flag carrier airline of Albania, was listed as a target by the LockBit ransomware group. Albania\r\nhas been facing cyber-attacks in recent months, for which its government blamed Iran-sponsored threat actors. The\r\nrelationship between the two nations has been tense for years and has only worsened after reports of Albania\r\nproviding refuge to members of the opposition group, People’s Mujahedeen of Iran (MEK), surfaced. LockBit\r\nransomware gang has been targeting aviation sector frequently. It attacked Bangkok Airways, a major airline\r\ncompany in Thailand, in September 2021, Israeli aerospace and defense firm E.M.I.T Aviation Consulting in\r\nOctober 2021, and Kuwait Airlines in June 2022.\r\nIt is not clear how exactly the airline has been compromised, but in the leaked data set Lockbit gang included a\r\nMetasploit Framework folder. Probably, the bad actors wanted to highlight the use of post-exploitation framework\r\nand significant intrusion performed into the IT infrastructure to exfiltrate data from several employees and\r\navailable file shares.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 7 of 26\n\n‘Host Kill Crew Hackers’ targets Cambodia Angkor Air\r\nA lesser-known hacker group, which calls itself Host Kill Crew, has taken responsibility for the Cambodia Angkor\r\nAir cyberattack. The group posted details of the attack on their Telegram channel with claims of DDOS\r\n(Distributed Denial of Service attack) to halt the online services for a while.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 8 of 26\n\nCyberattack on Gulf Air\r\nOn November 22, 2023, a threat-actor group calling themselves ALTOUFAN TEAM announced their intent to\r\nconduct a Distributed Denial of Service (DDoS) attack against Gulf Air, the national carrier of Bahrain. The threat,\r\nposted on X (Twitter), explicitly links their actions to support for the Palestinian cause in the wake of the Israeli-Hamas war that erupted last October. This cyberattack threat aligns with their stated objective of disrupting\r\nentities perceived to be associated with or supportive of the “Zionist entity.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 9 of 26\n\nIn a follow-up tweet posted the same day, ALTOUFAN TEAM said it had carried out a successful DDoS attack\r\nagainst Gulf Air and Bahrain International Airport.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 10 of 26\n\nThe DDoS attacks executed by ALTOUFAN TEAM successfully disrupted the online services of Gulf Air, causing\r\noperational disturbances and inconveniences for the airline's customers. While the duration and extent of the\r\ndisruption remain under investigation, initial reports indicate a notable impact on the availability of Gulf Air's\r\ndigital platforms and services.\r\nThe Bahrain Airport’s online portal was also temporarily rendered inaccessible by a related DDoS attack the same\r\nday. On November 25, 2023, Gulf Air also announced that its data was breached the previous day. However,\r\nBahrain's news agency BNA reported that the airline’s “operations and vital systems were not affected.”\r\nA Reuters write-up on the incident noted that BNA quoted Gulf Air as saying that \"as a result of this illegal breach\r\nsome information from the company's email system and customers' database could be compromised\" and it added\r\nemergency plans were deployed to contain the breach.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 11 of 26\n\nQatar Airways Data Allegedly Leaked by R00TK1T ISC Cyber Team\r\nOn December 29, 2023, threat-actor group “R00TK1T ISC Cyber Team,” claimed a successful breach of Qatar\r\nAirways in a long and detailed message posted on Telegram. First, the threat actors said they had compromised the\r\nairline’s ADOC Navigator system for Airbus A330 and A350 aircraft. This breach granted them access to a\r\ntreasure trove of confidential flight data, maintenance schedules, and operational intricacies.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 12 of 26\n\nThe threat actor's infiltration extended beyond the Airbus fleet, as they boasted about breaching Qatar Airways'\r\nBoeing 787 Toolbox Remote Data Package. This unauthorized access provides this attacker with critical software,\r\nmaintenance logs, and even control over flight systems, turning the aircraft into their personal playground.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 13 of 26\n\nR00TK1T also claimed to have infiltrated Qatar Airways' internal interview recordings, exposing hidden\r\nconversations, hiring practices, and decision-making processes within the airline. This breach into the company's\r\ninternal affairs raises concerns about the compromise of sensitive personnel data and potential impacts on the\r\nairline's operations.\r\nFurther escalating the severity of the breach, R00TK1T alleged they had decrypted Qatar Airways' sample\r\ndocuments, laying bare the inner workings of the airline. The threat actor’s claims suggest that passenger\r\nmanifests, cargo manifests, boarding procedures, and security protocols are now exposed, challenging the airline's\r\nability to maintain confidentiality and operational security.\r\nThe threat actor also issued a warning to news sites underestimating the extent of the breach, threatening a follow-up post primed to expose the latter’s “ignorance and incompetence” and all those “who underestimate our power.”\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 14 of 26\n\nR00TK1T concluded their announcement by saying that they have more than 400GB of additional Qatar Airlines\r\ndata to sift through, offering the company an opportunity to negotiate and prevent further data leaks. The message\r\nalso included a password for accessing the Qatar Airlines files: R00TK1TDARKNET.\r\nThe ominous tagline, \"Security Is Just an Illusion, Privacy Is Just Another Illusion,\" along with a defiant statement\r\nagainst society and the system, adds more panache to R00TK1T's declaration that they can strike \"anywhere,\r\nanytime.\" The message serves as a stark reminder that there are threat actors in operation who aspire to disrupt\r\nairline operations via increasingly destructive cyberattacks. As such, this sector must remain vigilant against\r\nattackers who are becoming bolder, more determined, and more aggressive in their targeting of aviation\r\norganizations.\r\nDark Strom Team's DDOS Attack on Los Angeles Airport\r\nOn February 12, 2024, Los Angeles International Airport (LAX) fell victim to a disruptive DDoS attack\r\nconducted by the Dark Strom Team. This incident further underscores the vulnerability of critical aviation\r\ninfrastructure to cyber threats.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 15 of 26\n\nDark Strom Team, a notorious hacking group, has gained infamy for conducting various cyberattacks, with a\r\nparticular affinity for DDoS campaigns to overwhelm and paralyze targeted websites.\r\nThe attack on LAX on February 12, 2024, was characterized by a massive surge in network traffic directed\r\ntowards the airport's online platforms. The surge in traffic overwhelmed the servers, causing a temporary\r\nshutdown of the airport-la.com website and disrupting online services for both passengers and airport staff.\r\nThe motivation behind Dark Strom Team's attack on LAX remains subject to speculation. However, the impact\r\nwas immediate and significant. Passengers relying on the airport's online services for flight information, bookings,\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 16 of 26\n\nand other essential functions were left in disarray. Airport authorities faced challenges in providing real-time\r\nupdates, exacerbating the inconvenience caused by the cyberattack.\r\nIn response to the DDoS attack, the airport's cybersecurity team swiftly operationalized mitigation protocols. This\r\nresponse involved rerouting and filtering the malicious traffic to restore normalcy to the affected online platforms.\r\nThe incident prompted a comprehensive review of the airport's cybersecurity infrastructure to fortify defenses\r\nagainst future attacks of this nature.\r\nAttributing cyberattacks to specific entities can be challenging, given the anonymity and obfuscation measures\r\nemployed by hacking groups. Nevertheless, LAX stakeholders initiated an investigation to trace the origin of the\r\nattack. LAX’s collaboration with law enforcement and cybersecurity incident response firms intensified to identify\r\nthe threat actors behind Dark Strom Team.\r\nThe Dark Strom Team's DDoS attack on LAX highlights the critical need for continuous cybersecurity\r\nassessments and the implementation of proactive mitigation measures at airports. This attack highlights the\r\nimportance of robust incident-response planning, collaboration with cybersecurity agencies, and the\r\nimplementation of advanced DDoS mitigation strategies to safeguard the continuous operation of essential airport\r\nservices.\r\nSilitNetwork Targets RwandAir Ltd\r\nOn February 16, 2024, a hacking group known as SilitNetwork launched a cyberattack against RwandAir Ltd,\r\nthe national flag carrier of Rwanda. This incident highlights the vulnerability of the aviation industry and raises\r\nconcerns about the potential repercussions on airline operations and passenger data security.\r\nSilitNetwork has gained notoriety for its involvement in cyberattacks that often target high-profile entities for\r\nvarious motives, including financial gain, political considerations, or simply to showcase their hacking\r\ncapabilities. The group utilizes diverse tactics, techniques, and procedures (TTPs) to breach their targets.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 17 of 26\n\nThe attack on RwandAir Ltd was a targeted effort aimed at compromising the airline's digital infrastructure.\r\nSilitNetwork utilized sophisticated methods, possibly including social engineering, phishing, or exploiting\r\nsoftware vulnerabilities, to gain unauthorized access to RwandAir's systems. Once inside the airlines network, the\r\nhackers exploited weaknesses in the airline's cyber defenses.\r\nThe specific motivations behind SilitNetwork's attack on RwandAir remain speculative, as hacking groups often\r\noperate with varied objectives. Possible motivations include the theft of sensitive passenger information,\r\ndisruption of airline operations, or even extortion attempts. The impact, however, was significant, affecting both\r\nthe airline's digital assets and potentially compromising the confidentiality and integrity of passenger data.\r\nThe attack could have disrupted critical operational functions, leading to flight delays, cancellations, or challenges\r\nin managing reservations and customer services. Moreover, the compromise of sensitive data poses serious\r\nconcerns regarding passenger privacy and the potential for identity theft or other malicious activities.\r\nAttributing cyberattacks to specific entities, especially sophisticated hacking groups, is challenging due to the use\r\nof sophisticated obfuscation techniques. RwandAir collaborated with national and international cybersecurity\r\nagencies to investigate the attack, share threat intelligence, and potentially identify the individuals or entities\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 18 of 26\n\nresponsible for the intrusion. The SilitNetwork attack on RwandAir further underscores the need for robust\r\ncybersecurity measures and constant vigilance within the aviation industry.\r\nSaudia MRO Falls Victim to 8BASE Ransomware\r\nOn February 28, 2024, Saudia Technic, the maintenance, repair, and overhaul (MRO) division of Saudi Arabian\r\nAirlines, became the target of a severe cyberattack staged by the notorious 8BASE ransomware gang. This\r\nincident not only highlighted the vulnerabilities within critical aviation infrastructure but also raised concerns\r\nabout the potential impact on aircraft maintenance and operational safety.\r\n8BASE is a sophisticated strain of ransomware known for its ability to infiltrate and encrypt sensitive files,\r\nrendering them inaccessible until a ransom is paid. Ransomware attacks have become increasingly prevalent, with\r\nthreat actors targeting organizations across various sectors for financial gain. This attack typology rose by 600% in\r\n2022, according to Boeing research.\r\nThe attack on Saudia Technic involved the deployment of 8BASE ransomware, which likely entered the\r\norganization's network through phishing emails. Once inside, the ransomware variant encrypted crucial files and\r\ndemanded a ransom payment in exchange for the decryption key.\r\nCompromised targets within Saudia Technic’s systems may have included critical maintenance and operational\r\ndatabases, documentation, and communication channels, thereby disrupting essential Saudi Arabian Airline\r\nservices.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 19 of 26\n\nThe primary motivation behind this 8BASE ransomware attack was financial gain. Threat actors encrypted\r\nessential files and demanded a ransom for the release of the decryption key. The impact on Saudia Technic was\r\nprofound, potentially leading to significant disruptions in aircraft maintenance schedules, operational planning,\r\nand communication systems.\r\nThe compromise of maintenance data raises concerns about the integrity of critical safety information, posing\r\nrisks to aircraft reliability and compliance with aviation regulatory standards. Furthermore, the financial and\r\nreputational damage resulting from these incidents can be substantial for affected aviation organizations.\r\nAttributing ransomware attacks to specific threat actors can be challenging due to the use of anonymized payment\r\nmethods and sophisticated evasion techniques. However, investigators likely conducted probes to trace the origin\r\nof the 8BASE ransomware, understand the attack vector, and gather intelligence to bolster cybersecurity defenses.\r\nThe Saudia Technic incident further illustrates the critical importance of cybersecurity in the aerospace sector. It\r\nhighlights the need for robust measures to protect essential data, ensure the continuity of operations, and safeguard\r\nthe safety of aircraft systems.\r\nContinental Aerospace Technologies Falls Victim to PLAY Ransomware\r\nOn March 9, 2024, Continental Aerospace Technologies, an Alabama-based aircraft engine manufacturer,\r\nexperienced a severe cyberattack attributed to PLAY ransomware. This incident underscores the prevailing threats\r\nto the aerospace supply chain, echoing the thought leadership of the cybersecurity panelists at last year's Aviation\r\nWeek conference.\r\nPLAY ransomware is a sophisticated form of malicious software designed to encrypt files on a victim's system,\r\nrendering them inaccessible until a ransom is paid. These attacks have become one of the top threats facing the\r\naerospace sector, with threat actors exploiting vulnerabilities in organizational defenses typically for financial\r\ngain.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 20 of 26\n\nThe attack on Continental Aerospace Technologies likely involved the infiltration of their network by threat actors\r\nusing tactics such as phishing emails, compromised software, or exploiting unpatched vulnerabilities. Once inside\r\nthe network, threat actors deployed PLAY ransomware to encrypt critical files, including manufacturing\r\nschematics, operational data, and possibly sensitive employee information.\r\nThe attackers subsequently demanded a ransom payment in exchange for providing the decryption key. The\r\nprimary motivation behind PLAY ransomware attacks is financial gain, with threat actors seeking payment in\r\ncryptocurrency to release the encrypted files. The impact on Continental Aerospace Technologies was substantial,\r\npotentially disrupting manufacturing processes, compromising sensitive intellectual property, and affecting the\r\ncompany's operational efficiency.\r\nThe compromise of manufacturing schematics raises concerns about the potential manipulation of design data,\r\npotentially leading to faulty components or compromising the safety of aerospace systems. The financial and\r\nreputational fallout resulting from such incidents can also be significant for targeted organizations.\r\nAttributing ransomware attacks to specific threat actors is challenging due to the use of anonymous payment\r\nmethods and evasion techniques. However, Continental Aerospace Technologies likely collaborated with\r\ncybersecurity experts, law enforcement agencies, and industry partners to investigate the origins of the PLAY\r\nransomware infection chain, analyze the attack vector, and gather intelligence to strengthen future defenses.\r\nThe PLAY ransomware incident at Continental Aerospace Technologies highlights the critical importance of\r\nrigorous cybersecurity assessments in the aerospace manufacturing sector. This attack underscores the need for\r\nrobust threat-modeling and the implementation of corresponding measures to protect intellectual property,\r\nmaintain operational continuity, and ensure the safety of aerospace supply chains.\r\nCybersecurity Risk and Threat Assessment\r\nTo mitigate the recent cybersecurity threats and data breaches, we strongly advise conducting proactive cyber risk\r\nand threat assessments for businesses in the aviation industry, including their information technology (IT) and\r\noperational technology (OT) supply chains.\r\nThe scope of the assessment included the following systems:\r\nTelecommunications infrastructure and systems\r\nDigital Transmission System (DTS) including Corporate Network\r\nTelephony System (TEL)\r\nTime Distribution System (TDS)\r\nVoice Radio TETRA System (RADIO)\r\nData Broadband Radio System for ground-to-board (BBRS) \u0026 Wi-Fi Access (WA)\r\nPublic Address System (PAS) \u0026 Public Information System (PIS) and Commercial TV (COMTV)\r\nUPS (backup power supply)\r\nHealth and safety instrumentation\r\nOnline-Services and Applications (e-ticketing, e-invoicing, VIP services, etc.)\r\nSecurity systems\r\nAccess Control System and Intrusion Detection System (ACS \u0026 IDS)\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 21 of 26\n\nFire Detection System (FDS)\r\nClose Circuit TV (CCTV), including Daily Telephony system\r\nSupervision systems\r\nSupervisory Control and Data Acquisition (SCADA) system\r\nMaintenance Management System (MMS)\r\nCCS IT (Common Infrastructure for various CCS subsystems)\r\nFuel farms\r\nATC and radars\r\nCargo handling facility\r\nWeather monitoring infrastructure\r\nHow Cybersecurity Assessments Can Help Prevent Incidents\r\nA comprehensive cybersecurity assessment plays a crucial role in identifying vulnerabilities and mitigating risks\r\nwithin an airport's systems. Here's how:\r\nVulnerability Identification: Assessments can uncover weaknesses in networks, systems, and\r\napplications. This approach promotes the timely patching of vulnerabilities before they can be exploited by\r\nattackers.\r\nRisk Prioritization: Assessments help categorize identified vulnerabilities based on their severity and\r\npotential impact. This enables airports to prioritize resources and address the most critical risks first. Risk\r\ntriaging is particularly vital in assessing aviation supply-chain security.\r\nSecurity Policy Evaluation: Assessments evaluate existing security policies and procedures to ensure\r\ntheir effectiveness in preventing attacks. This includes reviewing password complexity, access controls,\r\nand incident response plans.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 22 of 26\n\nEmployee Awareness: Assessments can highlight the need for employee training on cybersecurity best\r\npractices. Training can help employees identify phishing attempts and avoid other social engineering\r\ntactics. In the BYOD era, training can also help personnel maintain better cybersecurity hygiene on their\r\npersonal devices.\r\nExternal Threat Monitoring: Leveraging Cyber-Threat Intelligence (CTI) enhances prevention by\r\nproviding real-time insights, enabling proactive measures, and fostering collaborative defenses against\r\nevolving cyber threats in airport environments.\r\nBy conducting rigorous cybersecurity assessments and implementing risk-based measures tailored to their unique\r\nthreat models, airports can significantly improve their overall security posture and make themselves less\r\nsusceptible to cyberattacks.\r\nTypes of Cybersecurity Assessments\r\nThere are various types of cybersecurity assessments, each with its specific focus:\r\nNetwork Security Assessments: Evaluates the security posture of an airport's network infrastructure,\r\nidentifying vulnerabilities like weak configurations and unauthorized access points.\r\nVulnerability Assessments: These assessments focus on identifying specific vulnerabilities within systems\r\nand applications used within the airport. This includes identifying outdated software and insecure coding\r\npractices.\r\nPenetration Testing: Simulates a cyberattack to identify exploitable weaknesses in systems and\r\napplications. This proactive approach allows airports to address vulnerabilities before attackers can\r\ndiscover them.\r\nSocial Engineering Assessments: Evaluate employee awareness and susceptibility to social engineering\r\ntactics like phishing emails and phone scams.\r\nAirport Cybersecurity Assessment: Scope and Methodology\r\nWhen conducting a comprehensive airport cybersecurity assessment, it is imperative to address various critical\r\nsystems that form the backbone of airport operations. cybersecurity assessments are essential to identify\r\nvulnerabilities, mitigate risks, and ensure the overall resilience of the airport's infrastructure. The scope\r\nencompasses a wide range of systems, each playing a crucial role in maintaining the airport's functionality, safety,\r\nand security.\r\nTelecommunications Infrastructure and Systems\r\nDigital Transmission System (DTS), including Corporate Network\r\nThe assessment will focus on evaluating the security protocols, encryption methods, and access controls of the\r\nDTS and Corporate Network to safeguard sensitive data and prevent unauthorized access.\r\nTelephony System (TEL):\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 23 of 26\n\nA thorough examination of the Telephony System will include assessing its vulnerability to cyber threats, ensuring\r\nsecure communication channels, and implementing measures to protect against potential attacks.\r\nTime Distribution System (TDS):\r\nEvaluation of the TDS involves assessing its synchronization mechanisms, timekeeping accuracy, and\r\nvulnerability to disruptions to ensure precise coordination across the airport's systems.\r\nVoice Radio TETRA System (RADIO):\r\nThe assessment will analyze the security of the Voice Radio TETRA System, emphasizing encryption protocols,\r\nuser authentication, and measures to prevent interference or eavesdropping.\r\nData Broadband Radio System for ground-to-board (BBRS) \u0026 Wi-Fi Access (WA):\r\nSecurity assessments will concentrate on the integrity of data transmissions, authentication mechanisms, and\r\nsafeguards against unauthorized access, ensuring a secure and reliable communication environment.\r\nPublic Address System (PAS) \u0026 Public Information System (PIS) and Commercial TV (COMTV):\r\nThe focus will be on preventing unauthorized access and tampering of information dissemination systems,\r\nensuring the accuracy and reliability of public announcements and information displays.\r\nUPS (Backup Power Supply):\r\nThe assessment verifies the security of the backup power supply systems, ensuring their availability during critical\r\nsituations and safeguarding against cyber threats that may compromise their functionality.\r\nHealth and Safety Instrumentation:\r\nEnsuring the cybersecurity of health and safety instrumentation involves evaluating the integrity of data\r\ncollection, monitoring systems for potential vulnerabilities, and securing critical safety infrastructure against cyber\r\nthreats.\r\nSecurity Systems\r\nAccess Control System and Intrusion Detection System (ACS \u0026 IDS):\r\nThe assessment focuses on the effectiveness of access controls, user authentication mechanisms, and the\r\nrobustness of the Intrusion Detection System to detect and respond to potential security breaches.\r\nFire Detection System (FDS):\r\nThe cybersecurity assessment for the Fire Detection System will emphasize preventing false alarms, ensuring\r\ntimely detection, and securing communication channels to mitigate potential cyber threats.\r\nClose Circuit TV (CCTV), including Daily Telephony System:\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 24 of 26\n\nEvaluation of CCTV systems involves assessing the integrity of video feeds, encryption methods, and ensuring\r\nsecure communication to prevent unauthorized access and tampering.\r\nSupervision Systems\r\nSupervisory Control and Data Acquisition (SCADA) System:\r\nThe assessment focuses on securing SCADA systems against cyber threats, ensuring data integrity, and\r\nimplementing measures to protect against unauthorized access or manipulation.\r\nMaintenance Management System (MMS):\r\nEvaluation of the MMS focuses on securing maintenance-related data, ensuring the integrity of system updates,\r\nand preventing unauthorized access to critical maintenance information.\r\nCCS IT (Common Infrastructure for various CCS subsystems):\r\nThe assessment evaluates the security of the Common Infrastructure, ensuring that it provides a robust foundation\r\nfor various CCS subsystems, preventing vulnerabilities that may compromise the entire system.\r\nFuel Farms\r\nThe assessment addresses the security posture of fuel farm systems, ensuring the integrity of fuel-related data,\r\nmonitoring for potential threats, and implementing measures to prevent unauthorized access.\r\nATC and Radars\r\nThis assessment focuses on securing Air Traffic Control (ATC) and radar systems, ensuring the integrity of\r\ncommunication channels, preventing interference, and safeguarding against cyber threats that may impact aviation\r\nsafety.\r\nCargo Handling Facility\r\nThe assessment evaluates the security posture of cargo handling systems, emphasizing data integrity, secure\r\ncommunication, and measures to prevent unauthorized access to cargo-related information.\r\nWeather Monitoring Infrastructure\r\nSecurity assessments for weather monitoring infrastructure focus on ensuring the accuracy of data collection,\r\nprotecting against potential cyber threats, and securing communication channels to prevent disruptions.\r\nWhen conducting the Airport cybersecurity Assessment, a combination of vulnerability assessments, penetration\r\ntesting, and regular audits will be employed. The methodology will prioritize identifying potential weaknesses,\r\nrecommending mitigations, and ensuring ongoing monitoring and adaptation to the evolving cyber-threat\r\nlandscape. The overarching goal is to fortify the airport's systems against cyber threats, ensuring the ongoing\r\nsafety and operational continuity of airport systems.\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 25 of 26\n\nConclusion\r\nThe aerospace and aviation industries face a rapidly evolving threat landscape, making cybersecurity assessments\r\nan indispensable protocol for safeguarding airports, airlines, and passengers. By conducting regular assessments,\r\nairports can identify vulnerabilities, prioritize risks, and implement effective security measures. This proactive\r\napproach helps to mitigate the risk of malicious cyber incidents, ensuring smooth operations, protecting sensitive\r\ndata, and safeguarding employees and passengers.\r\nSource: https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nhttps://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats" ], "report_names": [ "the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats" ], "threat_actors": [ { "id": "c823965c-acbe-4e75-8680-ca89e156da39", "created_at": "2024-03-28T02:00:05.762469Z", "updated_at": "2026-04-10T02:00:03.606267Z", "deleted_at": null, "main_name": "SilitNetwork", "aliases": [], "source_name": "MISPGALAXY:SilitNetwork", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8ee6bddb-cd53-4ccf-b33f-f8af06f729d0", "created_at": "2024-03-02T02:00:03.838391Z", "updated_at": "2026-04-10T02:00:03.600479Z", "deleted_at": null, "main_name": "R00tK1T", "aliases": [], "source_name": "MISPGALAXY:R00tK1T", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "1359248c-351d-4e32-ac17-449907bd96ad", "created_at": "2024-12-21T02:00:02.859769Z", "updated_at": "2026-04-10T02:00:03.794895Z", "deleted_at": null, "main_name": "Altoufan Team", "aliases": [], "source_name": "MISPGALAXY:Altoufan Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43097c0c14e7ad343b3b88c8eba08fb59d3bf7d7.pdf", "text": "https://archive.orkl.eu/43097c0c14e7ad343b3b88c8eba08fb59d3bf7d7.txt", "img": "https://archive.orkl.eu/43097c0c14e7ad343b3b88c8eba08fb59d3bf7d7.jpg" } }