Aviation services firm Swissport, which operates at more than 300 airports around the world handling more than 280 million passengers and nearly five million tonnes of cargo per annum, has said it successfully contained a ransomware attack on its systems that saw a small number of flights from Zurich Airport delayed, but otherwise had a limited impact.
The attack, by an undisclosed actor, took place early on the morning of Thursday 3 February, but appears to have done little damage to the firm’s ability to conduct its day-to-day operations – which include cargo and baggage handling, passenger security screening, facilities maintenance and cleaning, and hospitality services.
In a statement circulated via social media website Twitter on Friday 4 February, Swissport confirmed part of its infrastructure had been subject to an attack, but that it had been “largely contained”.
Shortly after 10am on Saturday 5 February, a spokesperson for the organisation posted: “IT security incident at Swissport contained. Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologise for any inconvenience.”
The apparent swift resolution to this particular cyber attack suggests Swissport has put in place appropriate ransomware mitigations and protective measures, including, crucially, the ability to successfully restore its systems from uncompromised backups.
The attack came at the tail end of a particularly active week for malicious actors targeting operators of what is termed critical national infrastructure (CNI), in Europe, with multiple targets in the oil industry also being hit, resulting in some disruption to fuel supply chains, and raising questions over the provenance of the attacks and the possibility of links to Russia-backed groups given the unfolding Ukraine crisis – although this is not proved.
“This is the third attack in a week on European critical infrastructure providers,” said Andy Norton, European cyber risk officer at Armis. “The attacks have focussed on the ancillary IT services that surround the production system or service. Whether the surge in attacks is related to current geopolitical events is unknown. However, providers of critical services should immediately review the adequacy of their risk assessments from cyber threat with emphasis on the criticality of the ancillary IT systems that have increased connectivity and the potential to impact the OT and ICS production and service delivery.”
Cybereason chief security officer Sam Curry added: “What we do know is that Swissport transports more than a quarter of a billion passengers annually, and if a determined and well-funded hacker group is interested in carrying out an espionage campaign to gain an upper hand on the world stage, airlines are prime targets.
“A growing trend investigated by Cybereason researchers is the increase in global attacks where ransomware is used against targets following data exfiltration in order to inflict damage to systems and hamper forensics investigations,” he said.
“Critical infrastructure industries including the airline industry have targets on their back, and face a relentless and persistent attacker.”
