By mid-afternoon Monday, many airport websites that had been taken down by Russian hacking group Killnet earlier in the day were up and running. But security experts told SC Media that last week’s attacks on state government sites and today’s DDoS attacks on US airports could be followed by broader and more serious attacks.
In a Tweeter On Monday, John Hultquist, vice president of intelligence analysis at Mandiant, said state government and airport attacks “are what we make of them,” describing the short-lived, superficial DDoS impact. , but very noticeable. “My only concern here is that we may be entering a new phase of increased targeting in the United States which may include more serious incidents,” the tweet continued. “Time will tell us.”
LAX Airport said in a statement that FlyLAX.com was partially disrupted early this morning. The service disruption was limited to parts of the public-facing FlyLAX.com website only, and no internal airport systems were compromised and there were no operational disruptions. The LAX IT team has restored all services and is investigating the cause.
Hartsfield-Jackson Atlanta International Airport added that its atl.com website is now operational following the DDoS incident. Atlanta Airport said an investigation into the cause of the incident was underway – and at no time were operations at the airport affected.
LAX also said it notified the FBI and the Transportation Security Administration. A Cybersecurity and Infrastructure Security Agency (CISA) spokesperson said the agency is aware of reports of DDoS attacks targeting several US airport websites and is coordinating with potentially affected entities and offering assistance if necessary.
Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, pointed out that Killnet had asked its followers to join in the attacks, posting a list of domains to target on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the country.
Specifically, Killnet targeted airports in the following states: Atlanta, Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts , Michigan, Minnesota, Mississippi and Missouri.
“At this time, it’s unclear how successful these attacks were,” Righi said, noting that the attacks began with a DDoS attack on Chicago’s O’Hare International Airport, where the group stated their motivation. to target “the American civilian network sector”. that the group deemed unsafe.
“Killnet’s targeting of the United States and its critical sectors is not surprising,” he added. “The group has been targeting critical sectors in NATO countries since the start of the Russian-Ukrainian war, and this is likely to continue.”
The airport attacks were announced by Killnet at 12:50 p.m. CEST or 6:50 a.m. EST on the killnet_reservs Telegram account; it was an hour before the first airport, Chicago O’Hare was attacked. Pascal Geenens, director of threat intelligence at Radware, said that just seven minutes after killnet_reservs published the list of US airport websites targeted, NoName057 (16) created a new invite-only Telegram channel named “DDosia Project” and reposted the list in their new -created channel.
“It is important to note that the objective of the attacks was to disrupt public airport websites through DDoS attacks,” Geenens said. “There is no indication that the actors were trying to impact airport operations or disrupt air traffic. Disruptions from DDoS attacks are temporary in nature, so as soon as the attacks stop access to websites, they should recover.
Alon Nachmany, Field CISO, AppViewX, added that following the attack, Hartsfield-Jackson Atlanta International Airport and the Port Authority of New York and New Jersey have their websites running through Cloudflare, while FlyLAX.com was still running from an Nginx web server. There are many vulnerabilities associated with Nginx, he added, but Nginx and Apache are the most common web servers. “Both are open source, so all patches have to be community developed, so often those patches take time,” Nachmany said.
Most sites affected by DDoS attacks do not have adequate DDoS resiliency, said Sean Lyons, senior vice president and general manager, infrastructure security solutions and services at Akamai. He made three recommendations. First, review the critical subnets and IP spaces, making sure they have mitigation controls. Second, deploy DDoS security controls in an “always on” mitigation posture as the first layer of defense to avoid an emergency onboarding scenario and to reduce incident responder burden. And third, proactively assemble a crisis response team and ensure runbooks and incident response plans are up to date.
CISA issued alert AA22-110A just six months ago, calling Killnet by its name and describing the tactics the group typically uses, also warning of similar attacks to come after launching a DDoS attack on the Bradley Airport in March.
“Today’s attack is proof of the importance of collaborative approaches to cybersecurity and heeding the warnings from those in the know,” said Chris Grove, cybersecurity director at Nozomi. Networks. “It is fortunate that operations at these airports have not been affected, but that will certainly change in the future as attackers attempt more brazen attacks with greater impact.”
CISA also has an excellent quick guide that explains best practices for handling DDoS attacks and good site hygiene to ensure sites are not vulnerable to more sophisticated attacks using various IP protocols.