The impact of cyber attacks is often greater than initial evaluations indicate. The mid-December cyber attack on RavnAir Group forced at least a dozen of the company’s flights out of the air on a busy travel weekend. It had been thought that the company recovered fairly quickly from the malicious cyber attack, but a statement released just before the new year kicked off indicates that the company may have more delayed and canceled flights into February.
The lingering impact of cyber attacks
Ravn is a regional carrier that provides both passenger and cargo flights within the state of Alaska. During the weekend prior to Christmas, an unspecified cyber attack targeted the company’s Dash 8 passenger flights and caused about six of them to be grounded over the busy weekend as a security precaution. Several additional flights were canceled due to inclement weather, unrelated to the cyber attack. The company estimates that about 260 passengers were impacted by the cancellations.
The company returned to their normal schedule after the weekend, and it seemed that the breach had been addressed. However, a press release issued by the company on Dec. 30 indicated that the impact of the attack was more far-reaching than initially reported, and that the company might experience disturbances to their flights throughout January.
Ravn stated that the company anticipates disturbances to their Ravn Connect and Frontier Flying Service flights. These are regular flights that mostly focus on providing intercity commuter services in Alaska, as well as mail delivery service to the more remote communities in the northern half of the state.
Ravn spokesperson Debbie Reinwand stated that there may be cancellations and delays as until the impact of the cyber attacks is fully contained, as the company relies on back-up systems and manual processes to get its flights safely in the air. Ravn advised customers to expect all operations to move at a slower pace than usual until they can restore systems fully. The company is rebooking passengers onto other flights as available.
The FBI and an unspecified third-party cyber security company have been called in to investigate the impact of the cyber attacks on Ravn as the company is working on restoring everything.
Speculation on the nature of the attack
As with the recent attack on Travelex, the company has opted to keep details about the attack very scanty. But, as with Travelex, ransomware seems to be a fairly safe assumption given the patterns of disruption to service and the long expected recovery period.
The Register spoke to aviation security specialist Ken Munro of Pen Test Partners, the security firm that recently broke the news about the massive Thinkrace smartwatch cloud security breach, who speculated that the Dash 8 maintenance system managed to get infected with ransomware. The Dash 8 aircraft system is used to maintain DHC-8-100s, an outdated Canadian turboprop that has not been manufactured since the early 2000s.
It is possible that the ongoing service disruptions are due to the ransomware spreading after the fact, or the attacker coming back for another successful attempt on another segment of the company. RavnAir might also simply be proceeding with an abundance of caution, ensuring that their systems are fully restored from backups and looked over before they resume all normal operations.
Can disclosure laws lessen impact of cyber attacks?
The state of Alaska’s Personal Information Protection Act requires organizations with more than 10 employees to notify users of a data breach if any “harm” is done, but does not set a specific deadline (requiring only that it be done in an “expeditious time”).
As with any ransomware case, it is unclear if the attackers accessed personal data prior to locking the organization out of their own systems. Customers usually have to wait for a forensic analysis to be done (which can take months) to finally be notified that their personal data was compromised.
Alaska is probably far from the first place that people think about in connection with ransomware, but the remote state has weathered some devastating attacks in recent years. At times, the impact of cyber attacks in the state has been great enough to shut down entire towns.
A mid-2018 attack crippled the small borough of Matanuska-Susitna (a suburb of Anchorage Alaska) for an extended period, rapidly spreading throughout the entire municipality’s IT infrastructure. Everything from the public library to the public pool was shut down for at least several days as city employees combed through every possible file while attempting to restore systems. All told, the attack cost the city a little over $2 million to recover from and took weeks to get everything back to normal.
Later in 2018, the small city of Valdez contracted the Hermes ransomware (a favorite of North Korean hackers) and ended up paying a ransom of over $26,000 in Bitcoin to restore access. Valdez was fortunate in that the hackers were willing to negotiate the asking price down and actually kept their word once paid.
It is understandable that organizations and municipalities want to reveal as few details as possible for their own benefit, but the impact of cyber attacks on end users is definitely minimized the sooner they have a complete picture of what happened.
Winter weather increases impact of the cyber attacks
Flight cancellations are something of a way of life in the harsh, unpredictable Alaska winters. Take-offs and landings are sometimes made nearly impossible by snow and vicious wind shear. Air travel is absolutely vital to the state, however, with more than a dozen populated areas that can only be reached by plane or boat and frequent road closures due to winter storms.
#Ransomware seems to be the nature of #cyberattacks on RavnAir given the patterns of disruption to service and long expected recovery period. #respectdata
Click to Tweet
A solid month of problems with Alaska flights is extremely unusual, however. Additional cancellations on top of standard seasonal issues will likely create some serious headaches for state residents in the coming few weeks. The true impact of these cyber attacks will only be known once systems are back online.