The Port of Seattle has officially confirmed that a cyberattack that disrupted its operations at the Seattle-Tacoma International Airport (SEA) in late August was a ransomware attack. While the Port initially downplayed the incident, its recent statements acknowledge the attack’s severity and ongoing recovery efforts.
On September 15, 2024, the Port of Seattle released an official statement blaming the notorious “Rhysida” ransomware group as perpetrators of the August 24 attack. The Rhysida group orchestrated the notable 2023 British Library cyberattack and Insomniac Games data breach. It has also targeted many organizations, including some in the US healthcare sector, and the Chilean army.
While recovery efforts continue, the Port has warned about a potential data breach after its investigation found some data to have been exfiltrated by the threat actor.
Port of Seattle Ransomware Attack in Detail
In its statement, Port of Seattle wrote, “On August 24, 2024, the Port of Seattle identified system outages consistent with a cyberattack. It was a fast-moving situation, and Port staff worked to quickly isolate critical systems. Since that time, Port staff have been working around the clock to ensure that our partners and travelers who use our gateways safely and securely reach their destinations and utilize our facilities.”
Blaming Rhysida for the attack, Port of Seattle said, “This incident was a “ransomware” attack by the criminal organization known as Rhysida. The efforts our team took to stop the attack on August 24, appear to have been successful.”
The Port claimed that there was no new unauthorized activity on its systems since the attack, but it remained on “heightened alert” and was continuously monitoring its systems which has still not been restored completely.
“From day one, the Port prioritized safe, secure and efficient operations at our facilities. We are continuing to make progress on restoring our systems,” the statement read.
Data Breach Concerns
While the Port initially downplayed the impact of the attack, they have since acknowledged the possibility of data exfiltration. With the Port refusing to pay ransom to the Rhysida group, it said some of its data may be at risk of being posted online.
“Our investigation has determined that the unauthorized actor was able to gain access to certain parts of our computer systems and was able to encrypt access to some data,” the release said.
“We took steps to block further activities including disconnecting our systems from the internet, but unfortunately, the encryption and our response actions hindered some port services including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.”
The Port has not commented on the specific type of data that may have been compromised, raising concerns for passengers and airport personnel.
“Assessment of the data taken is complex and takes time, but we are committed to these efforts and notifying potentially impacted stakeholders as appropriate,” the release said.
“In particular, if we identify that the actor obtained employee or passenger personal information, we will carry out our responsibilities to inform them.”
The Port added that it has involved forensic specialists and is “actively supporting law enforcement’s investigation of the attacker.”
Impact on Airport Operations
The ransomware attack caused significant disruptions at SEA, impacting a wide range of airport operations. Passengers faced delays and frustrations as critical systems went offline.
According to news reports, “The attack and the Port’s response to isolate critical systems resulted in an outage that shut down WiFi at the airport, caused delays to baggage services, and disrupted many screens inside the terminal showing flight information.”
Airport workers resorted to manual processes to manage operations such as writing flight numbers and carousel locations on large sheets of paper and issuing handwritten boarding passes and bag tags.
However, the airport and Port’s websites are still down. Other services such as the airport’s lost and found and visitor pass program are still not accessible.
Rhysida Group’s Inglorious Past
The Rhysida group is known to encrypt data on victims’ systems and threaten to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organizations rather than making random attacks on individuals, and demands large sums of money to restore data.
While the Port of Seattle recovers from this attack, the long-term consequences remain to be seen. The cyberattack highlights the growing threat of ransomware attacks targeting critical infrastructure. This incident underscores the need for robust cybersecurity measures and international collaboration to combat cybercrime.
The Port of Seattle’s experience serves as a valuable case study for other organizations, emphasizing the importance of cyber preparedness and incident response strategies.