The cyberattack that impacted operations at the Seattle-Tacoma International Airport (SEA) in late August has been confirmed by the Port of Seattle to be a ransomware attack. Initially downplaying the severity of the incident, the Port has now acknowledged the seriousness of the attack and ongoing efforts to recover from it.
On September 15, 2024, the Port of Seattle officially identified the “Rhysida” ransomware group as the culprits behind the August 24 attack. The Rhysida group is notorious for previous cyberattacks on organizations such as the British Library and Insomniac Games, as well as targeting entities in the US healthcare sector and the Chilean army.
Despite ongoing efforts to restore systems, the Port has raised concerns about a potential data breach following its investigation, which revealed that some data had been exfiltrated by the threat actor.
In a detailed statement, the Port of Seattle described the events of August 24, stating that the attack caused system outages consistent with a cyberattack. Port staff worked quickly to isolate critical systems and have been working tirelessly since then to ensure the safety and security of partners and travelers using the facilities.
Blaming the Rhysida group for the attack, the Port emphasized that their efforts to halt the attack were successful and that there had been no new unauthorized activity on their systems since then. However, the Port remains on heightened alert and continues to monitor its systems, which have not yet been fully restored.
While the initial impact of the attack was downplayed, the Port now acknowledges the possibility of data exfiltration. Despite refusing to pay the ransom demanded by the Rhysida group, there is still a risk that some data may be posted online by the threat actors.
The Port’s investigation revealed that the unauthorized actor was able to access certain parts of their computer systems and encrypt access to some data. This led to disruptions in port services such as baggage services, check-in kiosks, ticketing, Wi-Fi, passenger display boards, and other essential functions.
As the Port assesses the extent of the data compromise, passengers and airport personnel remain concerned about the potential exposure of personal information. The Port has engaged forensic specialists and is actively collaborating with law enforcement to investigate the attackers.
The ransomware attack had a significant impact on airport operations, causing disruptions that led to delays and frustrations for passengers. Critical systems went offline, resulting in the shutdown of Wi-Fi services at the airport, delays in baggage services, and disruptions to flight information displays inside the terminal.
Despite efforts to manage operations manually, using traditional methods such as handwritten flight numbers and boarding passes, the airport and Port’s websites are still inaccessible. Other services, such as the lost and found and visitor pass program, remain offline.
The Rhysida group’s history of using ransomware-as-a-service techniques to target large organizations for financial gain highlights the growing threat of ransomware attacks on critical infrastructure. The Port of Seattle’s experience underscores the importance of robust cybersecurity measures and international cooperation in combating cybercrime.
As the Port continues to recover from the attack, the incident serves as a valuable case study for other organizations, emphasizing the importance of cyber preparedness and effective incident response strategies in the face of evolving cyber threats.