@dang I feel like this qualifies for the "Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize" rule. The airports themselves are not under attack.
As far as "airport-travel related systems that could be affected without seriously impacting anyone's travel", "airport websites" are the top of the list.
I think the last time I used one, it was to find out if there was an airport lounge in a specific terminal.
"Airport Websites Briefly Unavailable" is a much less exciting, but much more accurate headline.
Every article about "cyber" is fundamentally fearmongering, because they incorrectly analogize to the physical world where security is outsourced to an ambient third party (post facto law enforcement), implying an attacker is the purely responsible party. In digital reality, this headline would be more appropriate as "Airline website insecurities taken advantage of by Russia to disrupt business". The focus should be on the irresponsible duct-tape-and-string operations these businesses are running, rather than the people half a world a way sweet talking the computers into misbehaving.
"... taken advantage of by an entity capable of causing Russian computers to convince U.S. computers to misbehave, or to convincingly mis-attribute that activity in at least the preliminary stages of an investigation."
Sure, it could be either malice or ignorance. But when there is a strong incentive to misrepresent this (views, ads), they lose the benefit of the doubt. Plus, if it is ignorance, then they have no business reporting on cyberattacks.
Journalism is a profession, not a gig, the practitioners have a professional responsibility to be able to report on their topic. Representing yourself as a professional while being ignorant is malice.
Suppose that's why expressions like "the work was very professionally done" tell us nothing about the quality of the work, and professional societies are just clubs of random people that meet down at the pub.
There's some irony that this is right after John Oliver did a whole episode on media fear mongering and the result of which is people thinking crime is increasing and their safety is decreasing.
> (NEW YORK) -- Some of the nation's largest airports have been targeted for cyberattacks Monday by an attacker within the Russian Federation, a senior official briefed confirmed to ABC News.
Senior official from what agency / organization are making those claims?
> The attacks have resulted in targeted "denial of public access" to public-facing web domains that report airport wait times and congestion
Why would they be doing DDoS on this service?
> Hartsfield-Jackson Atlanta International Airport reported around 10:30 a.m. ET that its site is back up and running and that "at no time were operations at the airport impacted."
And operations are not being impacted...
I hear "Russia" is doing X and at this point I don't believe it without evidence being presented. Anonymous sources are equivalent to saying "some random person says X". Also why would they do anything with not negative impacts.
...the source literally isn't anonymous, it's Mandiant (not Mandian, that's a typo), and Mandiant has released so much evidence to back its claims over the years that if you can't by now at least give some credibility to the Mandiant name, you're not acting rationally.
He also directly states that this group is Russian but not acting on behalf of the Russian government in this case:
> Hultquist said there is no evidence the Russian government was involved in directing this attack.
There are two sources. Read the article carefully. There's an anonymous "senior official" and a person from "Mandian" (assuming ABC made a typo - Mandiant).
Only one source has relevant information pertinent to your questions, the named source from Mandiant. The "official" would not be equipped to answer the questions you've asked, and they're more than likely an airport official not a government official (as US airports are almost entirely run by private, for-profit organizations).
But more importantly, neither source said anything about the Russian government doing anything here; if you read carefully at most it's a group within the country of Russia, and that's it. In fact Mandiant directly states that there's no evidence the government of Russia directed the attackers.
Do you want more than a name and a organization? Would you like John’s home address?
> Over a dozen airport websites were impacted by the "denial of service" attack, John Hultquist, head of intelligence analysis at cybersecurity firm Mandian[t], told ABC News. That type of attack essentially overloads sites by jamming them with artificial users.
>” Killnet," a pro-Russian hacker group, is believed to be behind the attack, according to Hultquist. While similar groups have been found to be fronts for state-backed actors, Hultquist said there is no evidence the Russian government was involved in directing this attack.
> Over a dozen airport websites were impacted by the "denial of service" attack, John Hultquist, head of intelligence analysis at cybersecurity firm Mandian, told ABC News. That type of attack essentially overloads sites by jamming them with artificial users.
That's not a "senior official"; "official" implies government, that's a company.
Yes, I would like to know the government agency official providing this information.
>” Killnet," a pro-Russian hacker group, is believed to be behind the attack, according to Hultquist. While similar groups have been found to be fronts for state-backed actors, Hultquist said there is no evidence the Russian government was involved in directing this attack.
What evidence supports this? IMO it's coming from that unspecified official. And yes, I think evidence needs to be provided before claims are made. They're just saying "I think it's these guys" ... because?
Read the ABC article carefully (as one should always do)
There's mention of a "senior official"
> senior official briefed confirmed to ABC News.
So a source in government confirmed this to ABC (who's that?). Was it just a "could be russia" type comment.
There's a separate person, who's primarily sharing the story:
> Over a dozen airport websites were impacted by the "denial of service" attack, John Hultquist, head of intelligence analysis at cybersecurity firm Mandian, told ABC News.
ABC and many news outlets generally require multiple sources prior to publishing. There's been a lot of stories lately that have the same base source, but they decide to count as "multiple sources" because an official in the government leaks to two different people and those two people confirm. It's called "information laundering"
Anyway, i'd really out of genuine curiosity know how they know this is from Russia. Which agencies are confirming this?
IMO it seems petty and not something a government would do.
Internet actor named "citilife" makes claims about "information laundering".
Who is this individual? Where is the evidence? There should be evidence before such claims are made. What is his name and affiliation? Where can I find this person in the real world? Maybe this actor is wearing a hat? Perhaps it made of sheets of metal? Perhaps tin foil?
To quote the actor to further this inquiry:
>And yes, I think evidence needs to be provided before claims are made. They're just saying "I think it's these guys" ... because?
I think evidence needs to be provided before claims are made. Before "citilife" is just saying "I think it's petty and information laundering". ... because?
> Internet actor named "citilife" makes claims about "information laundering".
I never claimed there was a case of "information laundering", I defined it.
I also am not asserting anything besides what was in that article and inquiring for additional details because the current story doesn't make a whole lot of sense (at least based on the assertion it's "Russia" / "Russian", "hacking" some airline websites via a DDoS attack lol).
I don’t know about the details in this case, but hacking (particularly DDoS) groups can be remarkably childish: they sometimes intentionally leave their name in requests, knowing that it’ll show up in logs.
The other identifying technique is correlation: if they’re using a network of hacked devices to create a flood of traffic, any previous attacks that saw traffic from those same devices are possibly from the same group. So it’s possible killnet has a public chronology here.
This would be a pretty strange false flag: why bother blaming some random group that hasn’t been linked to the Russian government?
To my mind, the most likely explanation here is the simplest one: airport websites make good testing targets, and Russia doesn’t punish hackers who target non-military resources in the West.
I was speaking generally, but in this case it would be used to simply say "the Russians," regardless of whether or not they are under the Russian government.
Even then, using your own example: imagine you are testing a malicious system that you built that is hitting a public testing target. Wouldn't you want to link it to anyone other than yourself for when it is inevitably detected?
People doing threat intelligence are generally on top of attribution and try to do appropriate, fact-based attribution.
That said, the warnings about Russia interfering with US infrastructure were flowing a bit before the invasion of Ukraine. Russia would be the first suspect on the top of the list, even barring good threat intel.
killnet spends a lot of time promoting themselves, 7 hours ago they announced in their telegram channel that they are going to start an attack on USA airport websites and asked everybody to join them
They've also done similar attacks before so they were clearly under radar
this killnet guys stated that they are starting USA airports DDOS in their telegram channel, they also provided list of airports and their urls
they've done similar things before, most of their "hacking" consists of ddosing some sites that they randomly decide are an enemy to Russia
If they truly do a cyber attack on infrastructure like they’ve been doing to Ukraine it will end in war. There’s a reason they are only attacking the wait time pages and not airport operations.
Read the book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
by Nicole Perlroth. It has a chapter that shows a lot of what has been going on in Ukraine. One quote that stuck with me was a Ukrainian saying you guys (US/West) are next, they are practicing on us.
> One quote that stuck with me was a Ukrainian saying you guys (US/West) are next, they are practicing on us.
Don't forget this goes bi-directional. We (the West) aren't idle recipients of what others do to our countries without response and even preventive measures. Granted the main danger is that we basically have a lot more to lose than our self-proclaimed adversaries but that doesn't mean we are helpless.
It’s much more one sided than bidirectional if you look outside of government employee/military hackers. Russia and China allow their citizens to scam and hack the US with almost impunity. If you or I started scamming Russians or defacing websites we would be going to prison. They pretty much allow and even encourage these types of activity.
> If they truly do a cyber attack on infrastructure like they’ve been doing to Ukraine it will end in war.
This has been the conventional wisdom, yes. Just like the conventional wisdom before February was that full scale land warfare between modern industrialized european nations was a thing of the past.
What we’ve seen over the last year invalidates all of that. If they could paralyze Ukraine with a cyberattack, they would have by now. That bodes pretty poorly for their ability to meaningfully impact the US.
I'm not trying to prop up the Russian military here, but I feel that your statement of "if they could have they would have" doesn't follow to logical conclusions.
Keep in mind, the common attribution of the supply chain attacks across a number of vendors was Russian actors.
Also keep in mind that large scale attacks have typically started with thoroughly unconvincing "Hey Bob check this out" emails with a malicious excel doc.
The point here isn't to say that the Russian government has mastermind hackers, but instead to understand that an actual and effectual attack doesn't need elite skills, just a few gullible people and known exploits on unpatched servers.
I find it far more likely that any world government has the traditional hacks playbook and still get over .500 in most environments they attack without a single novel zero-day.
The attack described in the article is to antagonize, no doubt, but I wouldn't be very fast to describe the abilities of someone based on how they troll people. This is not the same as an assertion of "they are the best hackers", it's more I just don't think this is representative of the actual capability of any state actor, the Russian military included.
They most certainly have thrown to Ukraine all they could do and it hasn't ended anything. It seems we have overestimating what Russia is capable of (like we did for their conventional forces).
The same operation has been doing DDoS attacks at various Russia-opponent-related targets for quite a long time, this is not a new unknown organization.
However, yes, there doesn't seem to be a reason to assert that it is ordered by the Russian state (specific attributions e.g. to a particular agency or individuals have been made for certain operations, but generally it takes a lot of time and is done only in restrospective), it could be just a loose group of activists scattered around the world and sharing just a chat channel, this attack is unsophisticated enough to not require any specific resources or cooperation.
yes you are correct, the group behind it (that claimed the attack) are hacktivists doing DDoS, they themselves are not connected to the Russian government
they've claimed multiple other similar attacks, but most of the time they are just spreading pro-war messages in their telegram
This is likely just a warning or nuisance (but intentionally not destructive). An actual cyberattack which disrupts air traffic will likely be considered an act of war.
> This is likely just a warning or nuisance (but intentionally not destructive). An actual cyberattack which disrupts air traffic will likely be considered an act of war.
That theory sounds a lot like the argument of “why not just shoot their legs” applied to escalation of force.
That’s not how it works. When you make the decision to shoot, you shoot to kill. And similarly, revealing your cyberattack capabilities through a “warning” attack is highly unlikely from a state based actor.
ROE for cyber are fundamentally different. You deliberately do not "shoot to kill" in cyber, for tons of reasons, at least one being it's a much more opportunistic environment; hacking isn't magic, and many systems aren't penetrable at will. You often don't get to choose exactly what you target, you just hit what's vulnerable and see how you can pivot.
Flip the incentives for a sec; the group that executed this hack can present it as an "attack on American infrastructure" to their superiors, even though we here in the US know it was 100% ineffective.
Taking down an airport’s website does not meaningfully reveal a nation’s “cyberattack” capabilities. It’s the same thing as a shot across the bow, and nobody doubts that the other guy’s boat has a gun.
I would have agreed with you assessment in pre-MAD world, but in MAD world, "shoot to kill" means we all, likely, die. Those that don't initially perish, do so shortly thereafter.
In other words, there are good and valid arguments to ( using your words ) shoot in the legs first.
I don't think free Cloudflare has a usage cap does it?
(My point being it's so easy it probably is 'worth it'? .. Especially after the first time this happens, even if only so you can tell media/bosses/whatever that mitigations have been put in place.)
Is Cloudflare’s free tier available to businesses? My understanding was that it’s for personal and hobby use only.
Airports probably fall under Cloudflare’s “enterprise” tier, which has no billing ceiling (as far as I can tell), even if the bandwidth might be free.
Put another way: I would not want to be the underpaid airport IT guy who has to justify tripling my operational budget because of a DDoS attack that (1) almost never happens, and (2) doesn’t actually affect critical systems.
Last I checked there's no SLA whatsoever until the top-tier "self-serve" plan, and that SLA's not an impressive one.
I've also heard (admittedly, from their competitors, but they turned out to be right about other things) that if your usage gets too crazy they'll encourage you to start paying.
And nb. that 100% of the "self-serve" plans (not the "call us" pricing) specify web traffic, like from a browser. If you're using it for e.g. delivering data to apps you might get away with it, but it's not technically permitted. Again, last I checked.
> "It's an inconvenience," the source said.
> The attacks have resulted in targeted "denial of public access" to public-facing web domains that report airport wait times and congestion.