Our friends at the US Federal Bureau of Investigation (FBI) have provided information regarding two potential case studies in which cyber or terrorist threat actors could compromise airport flight display screens to carry out an airport attack. As airports increasingly rely on the integration of Internet of Things (IoT) in airport facilities for operations including flight display screens, this interconnectedness provides opportunity to bad actors bent on disruption or worse. The FBI emphasizes they do not have specific information to suggest “US” airports are a current target of cyber-attacks, but other international airports have been targeted through malicious cyber and terrorist means.
Analysts suggest it is likely that an insider threat actor at an airport could, with high probability, install malware and compromise the IoT connected flight display screens which deletes all flight information. This type cyber-attack is possible due to global hacking incidents of airport flight screens and the identification of malware infected computers at two US airports. This case would have a high impact resulting in disruption of airport services, loss of consumer confidence, and financial damage.
- In July 2016, flight display screens at two airports in Vietnam were hacked to broadcast anti-Vietnamese slogans criticizing Vietnam’s claims of territory in the South China Sea (which China is claiming). Vietnam's transport ministry said a Chinese hacker was responsible for the attack.
- In June 2017, a cyber-attack targeted the computer networks at Boryspil and Kiev Airports in the Ukraine, crippling the official airport website and the flight arrival and departure displays. This attack was traced back to Russia, after a US cyber intelligence firm discovered it was part of a Russian group's ongoing hacking campaign.
Internet of Things at Airports
Almost all airports now face a new challenge as being more connected on new technologies which integrate with the IoT in airport facilities for increased efficiencies. This creates vulnerabilities such as security breaches and malware. A breach in an airport system could impact security checks, affect office systems, and control of arrival and departure notifications. This will drastically affect an airport’s entire operation, resulting in lost revenue and a sullied reputation.
- In September 2018, the Bristol Airport in the United Kingdom faced a cyber-attack against flight display screens for two days. The hackers installed malware on the Internet connected computers which controlled the flight display screens.
- In September 2018, several malicious files were found on a workstation at an identified US-based international airport which had been infected with Emotet remote access trojan. In November 2018, a computer within an identified US airport in Pennsylvania had been compromised with Emotet malware via a malicious e-mail.
The following indicators could suggest the emergence of malware:
- Attempts to gain unauthorized access to restricted airport spaces or computers by airport personnel.
- Attempts by airport personnel to bypass authorization and work outside of a regular shift.
- Increased chatter on cyber-criminal forums pertaining the development of malware which targets vulnerabilities in airport information systems connected to the IoT.
- Research and purchase of malware tools by US airport personnel.
- Increased phishing campaigns targeting US airport personnel.
The FBI places a low probability of a cyber-terrorism attack at US airports from an ISIS inspired homegrown violent extremist (HVE) threat actor with a cyber capability, yet presents a possible example. An HVE, utilizing a remote access tool (RAT), could hack into airport flight display screens to message that a bomb has been placed in one of the terminals. They then instruct all passengers to move to another location in the airport, to which a physical attack will be initiated. This case is mentioned due to the known interest by cyber jihadists in compromising airport systems, as well as terrorist attacks at airports. This exposes a continued interest by terrorists in targeting airports worldwide.
- In March 2016, two improvised explosive devices detonated at the Brussels Zaventem Airport in Belgium, and explosions also occurred at the Maelbeek subway station. Between the two sites, 32 civilians were killed, 250 were injured, and ISIS claimed responsibility.
- In June 2016, terrorists armed with explosives and guns left 42 people dead and injured 230 at Istanbul’s Ataturk Airport. In June 2014, the Tehrik-Taliban Pakistan attacked Karachi’s Jinnah International Airport killing 28 people using automatic weapons, hand grenades, rocket launchers, and setting fires.
- In July 2014, the Tunisian Hackers Team announced via social media of their intent to launch cyber-attacks on US airport computer systems.
- In March 2011, a lone gunman opened fire and killed two US Air Force personnel and wounded two others at Germany’s Frankfurt International Airport.
The following indicators could suggest the emergence of this situation:
- Chatter on terrorist social media sites encouraging HVEs to acquire a cyber skill set.
- Development of malware educational materials by cyber jihadists for training.
- Development of online courses to exploit airport information technology.
- Tests of airport security following the theft of airport badges or uniforms.
- Cyber-criminal actors/enterprises offering services to terrorist organizations.
- Development of a specific RAT designed to hack into airport information display screens.
The short-term implication of these cases is the risk of malware infecting an airport information system which can be mitigated by identifying systems not operating with modern security patches. It is vital for the aviation industry to identify such vulnerabilities before a risk evolves into a destructive cyber threat. Additionally, the long-term implication of these scenarios highlights the need to train airport personnel in security awareness of both technical and human threats. This applies to travelers as well. Keeping awareness to surroundings is always important.
A multi-disciplinary approach is an ideal mitigation strategy. Cybersecurity preparedness levels at airports can be increased by regularly role-playing cyber-attack scenario exercises with the private sector, to include travelers, and local, state, and federal law enforcement entities..
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
 Emotet malware is an advanced banking Trojan designed to steal sensitive data such as user credentials stored on the browser by eavesdropping on network traffic. Emotet malware is spread through e-mails containing malicious attachments or links, and is the most destructive malware affecting the private and public sector.
 FBI LIR 190503001, dtd 3 May 2019, re-released June 2019