Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Ransomware Attack on Swissport Is Contained, Company SaysNetwork Segmentation, Preventative Measures Responsible for Limited Impact
Swissport, a global company that provides aviation-related services, confirmed it was hit by a ransomware attack on Thursday. The incident has now been contained, and a full system cleanup and recovery process is underway with no significant delays in sight, a company spokesperson tells Information Security Media Group.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
"The IT security incident that was immediately discovered on Thursday, Feb. 3, is contained. The affected infrastructure was quickly taken offline and manual workarounds or fallback systems have remained operational. A full system cleanup and recovery is now underway and we do not expect any significant delays. We apologize for any inconvenience," Swissport's spokesperson tells ISMG.
The company declined to give ISMG any further details regarding the ransomware used, the attackers, what data was encrypted, the ransom demanded or which customers/operations were affected, simply saying that an ongoing investigation is being carried out in coordination with Switzerland's National Cyber Security Center.
The Swiss NCSC acknowledged that it is in contact with Swissport, but declined to comment to ISMG on the specifics as it is an ongoing investigation.
In an earlier update on Twitter, however, Swissport tweeted that only "[a] part of Swissport's IT infrastructure was subject to a ransomware attack."
⚠️ A part of #Swissport’s IT infrastructure was subject to a ransomware attack. The attack has been largely contained, and we are working actively to fully resolve the issue as quickly as possible. Swissport regrets any impact the incidence has had on our service delivery.— Swissport (@swissportNews) February 4, 2022
A spokesperson for Zurich Airport tells ISMG that delays in operations were recorded over the weekend, but currently there does not appear to be a significant impact. "Due to the system problems at our airport partner Swissport, there were around 20 delays per day on Thursday, Friday and last weekend, each between three and a maximum of 38 minutes. Today, there has been no significant impact on flight operations in Zurich so far; we are currently recording delays of a few minutes for seven flights," the spokesperson says.
Pharma Hub in Machelen Affected
Although no damage was reported, the attack also hit Swissport's Pharma Center in Machelen, near Brussels Airport, says Belgian newspaper De Tijd. The newspaper cites Stijn Vandroogenbroek, a spokesperson for Swissport Belgium and the Netherlands, as saying, "These were obviously challenging moments, but manual workarounds or fallback systems have remained operational."
The Swissport Pharma Center is used for the storage and transport of medicines and medical equipment, including COVID-19 vaccines and face masks, which means any severe disruption could have had a severe impact on the critical medical supplies.
The attack on Machelen was also successfully contained by Saturday, Vandroogenbroek says.
"While the attack on Swissport has the look of Russian involvement, it would be premature to formally accuse Moscow of having its fingers on this attack at this time," Sam Curry, chief security officer at Cybereason, tells ISMG. "What we do know is that Swissport transports more than a quarter of a billion passengers annually, and if a determined and well-funded hacker group is interested in carrying out an espionage campaign to gain an upper hand on the world stage, airlines are prime targets."
Jamie Akhtar, CEO and co-founder of CyberSmart, compares the attack to the recent ransomware attack on the U.K.-based KP Snacks, which highlights the real-world impacts of a successful ransomware attack. "Cybercriminals are increasingly targeting key links in industry supply chains and, what's more, they're often successful. Fortunately, disruption was kept to a minimum this time, but it's not hard to imagine a similar attack grounding flights for several hours or days. This incident serves as a timely reminder that ransomware attacks are only becoming more disruptive and businesses need to be on their guard, especially against countries like Russia, China and North Korea, who have a history of such attacks."
Did Segmentation Save the Day?
The impact of the ransomware attack was contained swiftly and was even limited to only a "part of Swissport's IT infrastructure," according to the company's tweet. Because of this, several experts say that Swissport had preventive measures, such as network segmentation, in place.
Jan Lemnitzer, an assistant professor in the department of digitalization at Copenhagen Business School who covers cybersecurity policy, regulation and cyber norms, says in a tweet, "It seems they have practiced network segmentation though as they claim only some of their servers have been hit and the intrusion spotted straight away."
Martin Jartelius, chief security officer at Outpost24, tells ISMG that this is defense in depth and business continuity planning at its finest. He says, "Preventive measures prior to intrusions can, in many cases, prevent them from happening - and in every case it will contribute to decreasing the impact. Critical infrastructure should be subjected to separation, which has clearly been the case here, ensuring that mistakes of individuals or failures of edge systems do not risk the entire operation."
'Plan Ahead and Prepare for Worst'
Curry tells ISMG that Cybereason researchers have investigated the upward tick in global attacks in which ransomware is used against targets following data exfiltration to inflict damage to systems and hamper forensics investigations. He says, "Critical infrastructure industries, including the airline industry, have targets on their back and face a relentless and persistent attacker. I recommend that organizations plan ahead and prepare for the worst."
Andy Norton, European cyber risk officer at Armis, says, "The NIS [Network and Information Systems] legislation in Europe requires critical infrastructure providers to attain a certain level of operational resilience. Whether the surge in attacks [targeted at Europe] is related to current geopolitical events is unknown. However, providers of critical services should immediately review the adequacy of their risk assessments from cyberthreat with emphasis on the criticality of the ancillary IT systems that have increased connectivity and the potential to impact the OT and ICS production and service delivery."
Third Supply Chain Attack in Europe.
The ransomware attack on Swissport is the third known high-profile attack on a critical supply chain in Europe in the past couple of weeks. The U.K.-based snacks manufacturer KP Snacks recently that its supply chain was affected by a ransomware attack (see: UK-Based KP Snacks Hit by Ransomware in 'Snack Attack').
And in the past week, 17 port terminals in Western Europe - including oil terminals in Belgium, Germany and the Netherlands - were reportedly targeted by ransomware that significantly disrupted the entire supply chain (see: Cyberattack Cripples European Oil Port Terminals).
Switzerland appears to have been on the threat actors' radar for targeted cyberattacks, with a recent cyberattack on the International Committee of the Red Cross reportedly one of the biggest known cyberattacks on a humanitarian organization (see: Update: 'This Was a Targeted Attack,' Says Red Cross).