Budget Indian airlines SpiceJet suspended flight operations, causing massive delays after an attempted ransomware attack.
SpiceJet acknowledged the incident that slowed down morning flight departures, claiming that its security team had rectified the situation and flights had resumed. However, passengers complained on social media that SpiceJet’s customer services and booking systems were unavailable.
SpiceJet is the second-largest airline operator in India, with a 15% market share, 14,000 employees, and a fleet of 102 aircraft. The airline makes about 630 daily flights, transporting approximately 12 million passengers per month across 54 Indian cities and 15 international destinations.
The incident was a blow to the airline trying to recover from the COVID-19 travel bans that grounded most airlines, costing SpiceJet 28% of its annual revenue.
Passengers, including children, the elderly, and the sick stranded without refreshments
Passengers reportedly had to wait between 2 to 5 hours while the airline canceled flights at some airports. Similarly, customers could not book flights on the company’s websites.
Social media posts claimed that passengers who boarded the planes waited for almost 4 hours on the runways. Some passengers claimed they had to wait for several hours without food or refreshments in the company of the elderly, children, the sick, and the injured. One passenger shared a picture of his stranded wife with a fractured leg stranded at the airport. Other customers claimed that the ground staff had disappeared from the gate.
According to stranded passengers, SpiceJet did not warn them about possible disruptions before heading to the airport.
Rajasthan Satish Poonia, a member of the ruling Bharatiya Janata Party, said passengers did not receive official clarification from the airlines. He described the delay as shameful and grossly negligent.
However, SpiceJet explained although it had restored its IT systems, the ransomware attack had unpredictable effects.
“Certain SpiceJet systems faced an attempted ransomware attack last night that has impacted our flight operations,” SpiceJet said in a statement. “While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays.
“Some flights to airports where there are restrictions on night operations have been canceled. SpiceJet is in touch with experts and cyber crime authorities on the issue.”
Craig McDonald, VP of Product Management at BackBox, said the disruption of flight operations could generate significant financial losses despite their relatively short time.
“SpiceJet’s IT team was able to thwart this attempted ransomware attack before it was able to take over and fully breach internal systems, but, unfortunately, even an attempted cyberattack can result in unwanted ramifications.”
SpiceJet did not disclose the attack vector, the ransomware variant deployed during the attack, or the scope of the incident. However, a source claimed that the May 25 ransomware attack affected a system dealing with flight operations and planning.
The unnamed source added that the flight operations department had switched to manual mode to save the situation while plans to migrate the affected server were still in progress.
Flight operations face increasing ransomware and other cybersecurity threats
SpiceJet and other airline operators are no strangers to cybersecurity incidents.
In 2020, SpiceJet confirmed that an authorized actor accessed an unencrypted database backup on one of its unsecured servers. The individual, a security researcher who described the intrusion as “ethical hacking,” gained access by brute-forcing the system, which had a weak password.
The file contained 1,200,000 records, including flight information, customers’ full names, phone numbers, email addresses, and dates of birth.
In August 2021, Bangkok Airlines suffered a LockBit 2.0 ransomware attack that leaked 100 GB of data after the company refused to pay a ransom.
In May 2021, Air India, the country’s national carrier, leaked data of 4.5 million passengers.
“With ransomware attacks on the rise, companies must be hypervigilant in their cyber asset management practices,” Keith Neilson, Technical Evangelist at CloudSphere, said. “Unfortunately, the complexity found in the IT environments of many organizations makes it impossible to have a full view of their cyber assets and potential entry points for a cyber attack.”
Neilson noted that organizations discovered many cybersecurity risks only after threat actors had exploited them.
“To combat this evolving threat, many organizations are automating their cyber asset management processes to gain real-time and complete visibility into their entire IT environment. This allows them to be proactive in their security measures and identify and remediate potential points of weakness before they are exploited.”
McDonald also said organizations should maintain a documented, specific, and regularly-reviewed backup strategy for restoring networks after a ransomware attack.
“The strategy should include housing a complete IT inventory, outlining specific responsibilities, exercising alternative communication methods and a means by which any member of the team can validate the results.”
He also advised network engineers to leverage network automation to defend their organization against similar attacks. The strategy would help them tackle arduous tasks that usually get pushed down the list of priorities.
“Automating these critical but repetitive tasks helps to ensure they are executed consistently and predictably, preventing some attacks entirely by keeping the network security posture current and compliant with policy.”
Stephan Chenette, Co-Founder and CTO of AttackIQ, noted that SpiceJet experienced disruptions in flight operations despite containing the ransomware attack. He predicted that the company would suffer more consequences due to the incident.
“As evidenced by this and many other recent ransomware attacks, it’s no longer an issue of just whether or not to pay the ransom – it is likely that the organization will suffer reputational damage, legal consequences, and loss of data and business.”