Three Takeaways From the EU Airport Outages

On Sept. 19, several airports in Europe began experiencing a severe outage of the systems they use for passenger check-in and luggage handling, causing long delays and a slew of flight cancellations across the continent. The outage, which is still ongoing in some airports, is the result of a ransomware attack that affected the systems made by Collins Aerospace, a third-party supplier that provides the software used for check-in and other tasks by airlines. 

The incident is continuing to cause problems at a number of European airports and is a pointed example of how an intrusion at a key point in the software supply chain can have a wide range of downstream effects. Collins Aerospace is working to restore systems at the affected airports, which include London Heathrow, and airports in Berlin, Brussels, and Dublin, among others.

Here are a few key takeaways from the incident and its ongoing ripple effects. 

1. Suppliers are key targets. Ransomware actors, like most people, are pretty lazy. They want to expend the least amount of effort possible to achieve their goal, which is to separate victims from their money. One way to get the highest return on their time investment is to hit a target, like, say, a software supplier for the aviation industry, that has many customers who would also be affected by the attack. “It’s very much true that third-party suppliers are the way in. We've known that for a long time. It’s always a sure fire way in. We saw that with the Scattered Spider attacks. Why go and kick down the massive castle’s front door when you have this house next door?” said Glenn Wilkinson, co-founder of Agger Labs, an ant-ransomware startup.
2. Fallback systems are vital. Many of the airlines and airports affected by the Collins Aerospace incident were forced to move to manual processes to check-in passengers and luggage and handle other tasks that normally are done in software. Some were writing boarding passes by hand, while others were relying on iPads and other unaffected technology. Recovering gracefully from a ransomware incident is difficult but it usually requires the existence of redundant data backups and fallback systems that can be put to use in a pinch. Without prior planning and preparation, recovery is difficult at best and nearly impossible at worst. “It’s a perfect example of how a lack of diversification can hurt,” Wilkinson said.
3. The cruelty is the point. The goal of ransomware gangs is to make money, preferably lots of it and ideally very quickly. To do that, they need targets that they can get into relatively quickly and extract money from without too much trouble. One of the tools they often use to do this is pressure, whether it’s in the form of private ransom demands or public data dumps. Either way, the whole point is to make the victim feel enough pain that they’ll pay the price to make it stop. “A perfect target is one that requires high availability and is under high pressure and downtime really hurts. Hackers are inherently lazy or efficient, however you want to say it. An attack like this makes perfect sense. They want a soft-ish target and a broad blast radius to increase the public pressure. The pain has to go somewhere,” Wilkinson said.