By mid-afternoon Monday, many of the airport websites that were taken down by the Russian hacking group Killnet earlier in the day were up and running. But security experts told SC Media that last week’s attacks on state government sites and today’s DDoS attacks on U.S. airports could be followed by broader, more serious attacks.
In a Tweet Monday, John Hultquist, vice president of intelligence analysis at Mandiant said both the state government and airport attacks "are what we make of them," describing DDoS impact superficial and short-lived, but highly visible. "My only concern here is that we may be entering a new phase of increased targeting in the U.S. that might include more serious incidents," the tweet continued. "Time will tell.”
The LAX airport said in a statement that FlyLAX.com was partially disrupted early this morning. The service interruption was limited to portions of the public-facing FlyLAX.com website only, and no internal airport systems were compromised and there were no operational disruptions. The information technology team at LAX has restored all services and is investigating the cause.
Hartsfield-Jackson Atlanta International Airport added that its atl.com website is now up and running after the DDoS incident. The Atlanta airport said an investigation into the cause of the incident is under way – and at no time were operations at the airport impacted.
LAX also said it notified the FBI and the Transportation Security Administration. A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said the agency was aware of reports of DDoS attacks targeting multiple U.S. airport websites and is coordinating with potentially-impacted entities and offering assistance as needed.
Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, pointed out the Killnet asked its supporters to join in on the attacks, posting a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports all across the country.
Specifically, Killnet targeted airports in the following states: Atlanta, Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, and Missouri.
“At this time, it's unknown how successful these attacks were,” Righi said, noting that the attacks began with a DDoS attack on the Chicago O'Hare International Airport, where the group stated its motivation to target ‘American's civilian network sector,’ which the group deemed to be not secure.
"Killnet's targeting of the United States and its critical sectors is not surprising," he added. "The group has been targeting critical sectors in NATO countries since the start of the Russia-Ukraine war, and it will likely continue.”
The attacks on the airports were announced by Killnet at 12:50 p.m. CEST or 6:50 a.m. EST on the killnet_reservs Telegram account; that was one hour before the first airport, Chicago O’Hare was attacked. Pascal Geenens, director of threat intelligence at Radware, said only seven minutes after killnet_reservs published the list of targeted U.S. airport websites, NoName057(16) created a new, invitation only, Telegram channel named ‘DDosia Project’ and reposted the list in their newly-created channel.
“It’s important to note that the objective of the attacks was to disrupt the public websites of the airports through DDoS attacks,” said Geenens. “There’s no indication that the actors were trying to impact the operations of airports or disrupt air traffic. Disruptions through DDoS attacks are temporary in nature, so as soon as the attacks stop access to the websites should recover.”
Alon Nachmany, Field CISO, AppViewX, added that following the attack, Hartsfield-Jackson Atlanta International Airport and the Port Authority of New York and New Jersey have their websites running through Cloudflare, while FlyLAX.com still operated off of an Nginx webserver. There are many vulnerabilities associated with Nginx, he added, but it and Apache are the most common web servers around. “Both are open-sourced so any patches need to be developed by the community, so often these patches take time,” Nachmany said.
Most sites that go down from DDoS attacks don't have adequate DDoS resiliency in place, said Sean Lyons, senior vice president and general manager, infrastructure security solutions and services at Akamai. He pointed to three recommendations. First, review critical subnets and IP spaces, ensuring that they have mitigation controls in place. Second, deploy DDoS security controls in an “always-on” mitigation posture as a first layer of defense to avoid an emergency integration scenario and to reduce the burden on incident responders. And third, proactively pull together a crisis response team and ensure runbooks and incident response plans are up to date.
CISA issued Alert AA22-110A just six months ago, calling Killnet out by name and describing the tactics the group typically uses, also warning of similar upcoming attacks after they launched a DDoS attack on Bradley airport in March.
“Today's attack is evidence of the importance of collaborative approaches to cybersecurity, and heeding warnings that come from those in the know,” said Chris Grove, director, cyber security at Nozomi Networks. “It’s fortunate that the operations of these airports weren’t impacted, but assuredly that will change in the future as the assailants attempt more brazen attacks with larger impact."
CISA also has an excellent Quick Guide that explains best practices for managing DDoS attacks and good site hygiene to make sure sites are not vulnerable to more sophisticated attacks using various IP protocols.