Updated: Thousands of passengers grounded in Poland following cyber-attack

LOT Polish Airlines
LOT Polish Airlines

Thousands of passengers were grounded in Warsaw, Poland last night following a cyber attack on the computer networks of LOT Polish Airlines.

The airline posted a message on its Facebook page around 7pm Sunday night to saying it had “encountered IT attack that affected our ground operation systems”.

This followed a posting at 6pm which simply said that flights were being cancelled due to an “IT systems failure”.

The break-in occurred around 4pm local time (3pm GMT).

The attack prevented it from being able to create flight plans with the result that outbound flights from Warsaw were unable to depart.

Ten international and domestic flights were cancelled, with others delayed.

“We'd like to underline, that it has no influence on plane systems. Aircraft that are already airborne will continue their flights. Planes with flight plans already filed will return to Warsaw normally,” the airline said.

In December 2014, five global aviation organisations agreed a plan to coordinate their activities around cyber-security threats. They identified the threats as theft of information, general disruption and potential loss of life.

Justin Clarke, director at Gotham Digital Science and chapter leader of London OWASP, told SCMagazineUK.com, “This is a great example of where key infrastructure systems could be attacked and have a far wider effect.” 

David Emm, principal security researcher at Kaspersky Lab, said: “At the moment we have no idea how the attack on Polish airline LOT was launched, the nature of the systems targeted or what the motives of the attackers may have been, beyond the fact that the attack affected ancillary systems rather than the planes themselves.

“This story highlights the fact that, as more and more aspects of our lives become cyber-dependent, we offer a greater attack surface to cyber-criminals – including critical infrastructure systems.”

Gavin Reid, vice president of threat intelligence at Lancope, told SC: “What we are seeing here in this attack is right at the tipping point where cyber-attacks meet physical. This tipping point once crossed will forever change the seriousness of how society views hacking. We have had a couple of recent events where this line-in-the sand has been pushed – airline and medical device tampering for example. We have yet to cross this threshold but the attack on Polish Airlines brings it ever closer.”

Tim Erlin, director of security and product management, Tripwire said: “This incident demonstrates that while attacking in-flight systems may have made headlines recently, there are many more areas of vulnerability to address in the aviation industry. Like most industries today, aviation relies on a wide variety of interconnected systems, from air traffic control to reservations systems. There's no reason to believe that cyber-criminals aren't just as interested in credit cards or personal data collected, stored and transmitted by airlines as they clearly are in retailers. In many cases, it's the data that's the target, rather than the company collecting it.”

Ruben Santamarta, principal security consultant for IOActive, has published research in the field of SATCOM/aviation security. He told SC: "There are multiple systems at ground level that provide critical services for airlines and aircraft, in terms of operations, maintenance, safety and logistics. The first stage of an attack against an aircraft may begin on the ground. However, to properly assess the impact and the target of this attack we still need more information, so every scenario is just speculation."

"This latest incident may seem surprising, but it shouldn't be.  We see industries and organisations under attack every day. Everyone is a target, no-one is immune.  We need a new way to think about security,” said Martin Borrett, distinguished engineer and CTO, IBM Security Europe.