Seattle-Tacoma Airport Says Criminal Hacker Group Attacked Computer Systems

An “unauthorized actor” gained access to Seattle-Tacoma International Airport (SEA) computer systems in August, resulting in a cyberattack that widely affected operations throughout the airport for days, forcing some airlines to manually check in passengers, according to the Port of Seattle.

The Port, which manages SEA, has released a detailed initial report on the cyberattack, describing a ransomware attack on Aug. 24 that led to message boards in the airport going dark and officials and workers being unable to even send emails, plunging SEA into an operational position for several days reflecting a pre-digital era.

There were minimum flight delays as some airlines affected by common-use system outages at airport counters resorted to manual processes to check in passengers, including using pen and paper. Carriers utilized their own computer systems to keep flights moving. The Port stationed workers throughout the airport to help guide passengers.

The Port had previously said the airport deployed workers who used “a variety of methods to ensure bags [reached] their aircraft.”

The Transportation Security Administration’s equipment and computer systems at SEA were not affected. Customs and Border Protection services also were able to continue.

Public WiFi and display boards with flight and baggage information remained down for more than a week after the attack.

The Port said the measures taken to thwart the attack “appear to have been successful,” though some lingering effects remain.

The attack and SEA’s response actions “hindered … services including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app and reserved parking,” the Port said. “Our team was able to bring the majority of these systems back online within the week, though work to restore some systems like our external website and internal portals is ongoing.”

The Port described the attack and its response as “a fast-moving situation, and Port staff worked to quickly isolate critical systems."

"Port staff have been working around the clock to ensure that … travelers who use [SEA] safely and securely reach their destinations and utilize our facilities. This has included engaging with our forensics specialists and actively supporting law enforcement’s investigation of the attacker,” the Port said.

The Port said it has not paid any ransom. “The Port of Seattle has no intent of paying the perpetrators behind the cyberattack on our network,” Port Executive Director Steve Metruck said. “Paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.”

The Port alleged the attacker is Rhysida, a hacker group known to law enforcement agencies for ransomware attacks on large organizations. A joint U.S. government Cybersecurity Advisory (CSA) issued last year by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the MultiState Information Sharing and Analysis Center said the group uses “external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks [VPNs], allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials.”

The CSA said Rhysida hackers “reportedly engage in ‘double extortion’—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid." 

The agency added, "Rhysida actors direct victims to send ransom payments in bitcoin to cryptocurrency wallet addresses provided by the threat actors.”

The Port said it has not detected any unauthorized activity on its computer systems since Aug. 24, but remains on “heightened alert.”

Data was stolen, the Port confirmed. “Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August,” the organization explained. 

“Assessment of the data taken is complex and takes time, but we are committed to these efforts and notifying potentially impacted stakeholders as appropriate. In particular, if we identify that the actor obtained employee or passenger personal information, we will carry out our responsibilities to inform them.”

The organization warned that because it will not pay the ransom, some stolen information could be posted on the dark web.

The Port said it is working on “restoring and rebuilding systems,” as well as taking steps to “enhance our existing controls and further secure our IT environment.”

“We recognize the inconvenience this incident has caused, and for that, we apologize,” the organization said. The Port emphasized that it “remains safe to travel from Seattle-Tacoma International Airport and use the Port of Seattle’s maritime facilities.”