The aviation sector remains at the forefront of global transportation and commerce, yet its critical importance makes it a prime target for increasingly sophisticated cyber threats. Recent attacks show a worrying trend: ransomware, hacktivism, and phishing campaigns are not just random events; they are persistent, evolving challenges.
Our latest Threat Landscape Report, reveals that the sector faces relentless and evolving threats, from disruptive ransomware attacks to hacktivism, phishing campaigns, and data breaches. A deep understanding of these risks is crucial for aviation organisations to predict, prepare for, and ultimately thwart future attacks. Below are some of the key findings from the report and recommendations to enhance your cyber resilience against both existing and emerging threats.
Ransomware remains one of the most formidable threats to the aviation sector, often targeting companies with the potential to disrupt operations and expose sensitive data. Some recent examples include:
-
PLAY Ransomware Attack on Precision Fluid Controls: On April 26th 2024, the PLAY ransomware group targeted Precision Fluid Controls, a significant player in the aerospace industry. The attack exposed customer documents, payroll details, and financial records. PLAY is known for exploiting Linux-based enterprise networks, underscoring the need for companies to secure their systems effectively.
-
LockBit 3.0 Attack on TDT Aero: In May, LockBit 3.0 claimed responsibility for attacking TDT Aero, a Turkish aircraft maintenance company. This attack highlighted how essential maintenance operations crucial to aviation safety can be crippled by ransomware. LockBit’s Ransomware-as-a-Service (RaaS) model and its ability to continually refine its methods pose an ongoing threat to aviation operations.
-
Black Basta’s Strike on PDQ Airspares: On April 1, Black Basta targeted PDQ Airspares Limited, a UK-based supplier to the airline industry. At present, the full extent of the attack remains unclear. The group’s sophisticated and customised malware strains are designed to bypass traditional security defences, leading to data theft and operational disruption.
-
RansomHouse Attack on Sterch-International: In Q2 of 2024, RansomHouse targeted Sterch-International, a Czech aviation company. Unlike traditional ransomware groups, RansomHouse focuses on data theft, threatening to release sensitive information unless a ransom is paid. This “double extortion” tactic is becoming increasingly common in the aviation sector.
Hacktivist activities, often driven by political motives, are on the rise within the aviation industry. In May, the pro-Russian group NoName057(16) conducted distributed denial-of-service (DDoS) attacks against European aviation organisations, including the European Business Aviation Association and Vulcanair. These attacks, which disrupted online services, indicate the group’s growing sophistication in targeting web infrastructure and evading detection.
Phishing remains a highly effective tactic for cyber adversaries. Recent campaigns demonstrate an increased level of complexity. On June 6, the “Sticky Werewolf” group launched a phishing campaign in the aviation sector, leading to the deployment of the NetWire remote access trojan (RAT). The group’s shift from using malicious links to attachments reflects the evolving nature of phishing tactics, as attackers continually adapt to infiltrate systems.
Analysing Q2 2024 incidents, our Security Operations Centre (SOC) analysts identified the top five most commonly used Mitre ATT&CK techniques:
T1110 (Brute Force): Repeated password guessing or credential validation to gain unauthorised access.
T1078 (Valid Accounts): Using compromised accounts to access and escalate network privileges, bypassing standard security measures.
T1110.004 (Credential Stuffing): Exploiting previously stolen credentials to access systems, highlighting the risk of password reuse.
T1562.001 (Impair Defences): Disabling or modifying security tools to avoid detection, often by tampering with processes or configurations.
T1078.004 (Cloud Accounts): Targeting cloud-based accounts for access and persistence in hybrid or cloud-only environments.
To address these evolving threats, aviation organisations should adopt proactive cybersecurity measures:
-
Stay Updated on Emerging Threats: Regularly review threat intelligence reports to identify new attack vectors and strategies, enabling a more dynamic defence strategy.
-
Promote a Culture of Cyber Awareness: Educate employees, from front-line staff to executive leadership, about the latest cybersecurity threats and best practices to reduce human error and enhance overall security.
-
Invest in the Right Security Tools: Implement robust solutions tailored to counter ransomware, phishing, and hacktivist attacks. These tools should include endpoint protection, network monitoring, and data encryption. It’s important that security teams continually validate the efficacy and efficiency to maximum protection and return on investment of your cyber investments.
By remaining vigilant and adopting these strategies, aviation companies can protect their critical infrastructure and ensure operational continuity in the face of an increasingly hostile cyber environment.
Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations that cater to our customer’s specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.
Discover our tailored services and find out why we are the preferred security partner for FTSE 350 firms.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.