Words | David Smith
Business aviation security expert Josh Wheeler worries more about ransomware than the multitude of other cybersecurity threats. Cyber criminals used to rely on installing ransomware files on computers, he says, but they have discovered more cunning strategies to tempt users to download malware. “Ransomware scares me most because there’s very little effort required to make it happen,” says Wheeler, who is senior director of cybersecurity at US aviation-connectivity company Satcom Direct.
The implications of ransomware attacks for business airlines and their high-net worth individuals are potentially dire. Ransomware attacks are able to expose a company’s sensitive commercial data or ground an airline’s entire fleet of aircraft. When malware is downloaded onto a digital device, it gains access to sensitive private data that is held “hostage” using encryption until the victim pays a ransom. Even if the ransom is paid, the thieves are not guaranteed to keep their word.
In the days of more complex ransomware strategies, cyber criminals had to find a Windows computer with vulnerabilities like outdated software. The nefarious downloaded files would link to an inventory that provided admin rights and the key log. “Today’s ransomware is usually an email, or even more terrifyingly just a text from someone you’ve never heard of. It might ask you to click on a link to verify a payment, or find out if you qualify for a loan,” says Wheeler.
“The hackers take advantage of global events – during the pandemic they offered Covid-relief loans for example. People might be a bit more desperate and let their guard down. There’s no need to install software. They just rely on humans being humans and volunteering information. And don’t forget ransomware folks are the kindest people you’ll ever meet. Their customer service is second to none.”
Aviation faces a ransomware attack every week, according to recent research from Eurocontrol. The price of ransomware mitigation measures is costing aviation companies US$20 billion a year worldwide. Although ransomware represents only 5% of cyber attacks in aviation, the threat is growing fast and has “potentially immense, negative impacts”, Eurocontrol says.
A recent Eurocontrol report provides examples of ransomware incidents, including the March 2021 attack against Spirit Airlines. The Florida-based low-cost airline was hit by the Nefilim ransomware group, which published 33,000 files on their dark web portal. The data included financial information and sensitive details of customers who flew with Spirit between 2006 and 2021. Eurocontrol’s report also describes the June 2020 attack on the Texas maintenance provider VT San Antonio Aerospace by the Maze group, which resulted in the theft of 1.5 Terabytes of sensitive data belonging to customers like Air Canada, Fedex and UPS Airlines.
Although these examples involve companies operating mainly in commercial aviation, it is likely similar attacks are happening in business aviation, Wheeler believes. “For a long time, most publicly-traded companies in the US have had to reveal if they’ve been compromised, but the private sector hasn’t announced anything as it would affect their global positioning,” he says.
The susceptibility of smaller operators to ransomware is another reason for the business aviation world to be aware of the threat. British security consultant Ken Munro, who works for Pen Test Partners, says smaller operators often do not have the same degree of cyber controls as larger passenger airlines and airports. But when flying high-net worth individuals, they should aim to provide even better cybersecurity.
The fallout from a ransomware attack can be far-reaching, he says. A ransomware attack on Alaskan airline RavnAir group in December 2019 forced the company to ground six aircraft from its Dash 8 fleet. Subsequently the airline ended up going bust. “They lost their maintenance platform and had to cancel flights over a busy weekend, but there were terrible consequential impacts,” he says. “The RavnAir attack was on their ground-booking systems, which is by far the most likely factor as airlines cannot fly until they pay up.”
Although ransomware attacks are growing in number, the Eurocontrol survey shows that the biggest three cyber frauds in Europe involve data theft (36%), fake websites (35%) and phishing (16%). The financial impact of Covid-19 has presented new opportunities for cybercrime. There were more than five times as many cyber attacks in 2020 as the previous year. More than a third of aviation organizations were subjected to an attack and 61% of the incidents targeted airlines. Financial loss occurred in just over half the cases and the theft of personal data in a third.
One of the most high-profile attacks was on low-cost UK carrier EasyJet in May 2020, when nine million passengers had their personal information, email addresses and travel details exposed. More recently, in March, aviation IT supplier SITA reported a cyber attack involving passenger data on their airline passenger service system, which manages around 90% of passenger bookings for airlines.
Researchers at Oxford University recently exposed one highly sophisticated strategy that is used to target stock-listed companies. “The Real First Class? Inferring Confidential Corporate Mergers and Government Relations from Air Traffic Communication”, by Martin Strohmeier et al, reveals the financial impact of privacy leakages for corporations flying in private jets. “They showed how hackers can use flight tracker data to predict mergers and acquisitions based on the activity of business jets,” Monro says. “If a plane leased to a Fortune 500 company takes several flights to a certain country, cyber criminals can join the dots and predict the CEOs are meeting to thrash out a deal. Armed with this type of insider trading cyber data, it is possible to predict mergers and acquisitions and invest in the stock market or sell the information.”
But a lot of threats to business aviation arise from more basic insecurities. Josh Wheeler says a surprisingly high number of operators are careless about changing passwords. “Most vulnerabilities I’ve seen are associated with cabin routing equipment because base passwords are never changed. Anyone with basic knowledge of hacking can probably find them with base-level googling,” he says. “But the threat is also from the devices corporate passengers bring onto the planes. Some executives take their kids, or friends with devices that haven’t been pre-approved for use. The malware, or viruses is on the devices, then it is on the aircraft.”
Despite the growing involvement of sophisticated cyber gangs in hacking activity – as highlighted in the Eurocontrol report – the majority of attacks take place inadvertently. “The hackers case a wide net. There’s a lot of sensationalism, but in nine out of ten cases, they won’t know where they are. They use phishing emails and someone who happens to be on a jet clicks on one and is rerouted and downloads spyware, or malware,” Wheeler says.
In one recent case, which Wheeler was privy to, the CFO of a company downloaded an attachment that appeared valid, and malware instantly took a screen grab of every open file open on the computer. “He had a document open with all the executives’ corporate credit card numbers on it. The hackers didn’t know what they were grabbing, but would have realized they had something big as soon as they googled the CEO’s name and realized they had his credit card details,” he says.
Open wi-fi networks on the ground or on parked aircraft are even more vulnerable to attack now it is possible for anyone to buy a range extender antenna for US$20, he says. “Given the lax security we see at many business airports, it would be easy to power up your laptop in an FBO lobby, or your car near the airport, and use the range extender to find six or seven aircraft with no wi-fi passwords and connect
An overlooked danger is weak points in an FBO’s supply chains. Wheeler has carried out cyber-snooping experiments on catering companies working for airlines. Using social engineering, he obtained sensitive personal information. “I say ‘Mr Johnson has a shellfish allergy can you verify his birthday? I have it down as December 6, 1972. How are you spelling his name?’ An FBO can be doing due diligence and everything correctly, but all of a sudden one of the companies in their supply chains has a breach. It’s necessary to ask what are they doing to prevent data about, say, a passenger’s health conditions, escaping? Are they encrypting it? Do all employees on the ground use a VPN? What kind of firewall is in place?”
Despite the growing dangers, Wheeler says there are few regulations specific to cybercrime in aviation. “Different bodies like the FAA, IATA and others are working towards hardening the guidelines so devices can be secured through a series of firmware updates or additional protocols that make it harder to compromise. But they are not live yet,” he says.
This summer, the European Union Aviation Safety Agency (EASA) released guidance aimed at safeguarding civil aviation against cyberattacks. The “Opinion on Management of Information Security Risks” proposed the introduction of an information security management system for relevant authorities including EASA. The aim is to require operators to report incidents and vulnerabilities. As of yet, the measures are just proposals.
Meanwhile, in the UK, the Civil Aviation Authority (CAA) launched its “Assure Scheme” in January 2020. This third-party audit model enables organizations to comply with the CAA’s CAP 1753 six-step approach to cyber security. Audits will be performed by accredited Assure cyber professionals. “The idea is to get everyone in the industry to demonstrate the cyber security of their environment. It’s starting with the bigger operators but over time, it will migrate to smaller ones,” says Munro. “Also in the USA, both the FAA and the US Government are taking more of an interest in cybersecurity in aviation. So, there’s lots of activity.”