Oddly specific 'cyber attack' hits Alaskan airline RavnAir and one plane type

Dash 8? More like dash for the maintenance hangar

A small Alaskan airline has suffered a curiously specific "cyber attack" that mostly affected its De Havilland Dash 8 airliners.

RavnAir Group declared on 21 December that it had "experienced a malicious cyber attack on our company's IT network" the day before, causing it to cancel all of its flights operated with Dash 8s on its RavnAir Alaska airline.

In later statements, the group – which also has two other airlines, PenAir and RavnAirConnect – said it was cancelling a dozen Dash 8 flights before adding that the "this disruption now appears more extensive than initially reported". It has since said it may take "as long as one month to have all affected IT systems fully restored and back to normal" - with additional flight cancellations and delays possible on all three airlines.

The Dash 8 cancellations lasted just under 24 hours before the aircraft were back in the sky.

The US Associated Press newswire reported that an unnamed cybersecurity company, the US Federal Bureau of Investigation "and others" are all working with RavnAir to figure out what happened and help the airline recover.

No information was given by the airline on precisely what the "cyber attack" consisted of, though from the limited account given, it appears to be ransomware. Also inferring from RavnAir's descriptions, not much else short of an immediate power failure is likely to have knocked out a "maintenance IT system", or caused "the need to shut down and assess every part of the company's IT network and all company computers and servers".

The group said "the cyber attack forced us to disconnect our Dash 8 maintenance system and its backup."

The incident is unusual because it appears those deploying the malware – if that is what it was – initially only affected one particular aircraft type, and a relatively old model. RavnAir flies DHC-8-100s, a twin-engined turboprop airliner no longer made by manufacturer De Havilland Canada: the -100 was superseded by the larger Q400 model in the early 2000s.

Ken Munro of Pen Test Partners speculated the attack could have been carried out by a disgruntled ex-employee or perhaps a commercial rival, based on the targeting of RavnAir's Dash 8 maintenance system, though he also added: "These seem unlikely to me."

Munro, who among many other things specialises in aviation cybersecurity, offered a theory: "My guess is that the maintenance system was infected with ransomware, perhaps through general poor hygiene often associated with maintenance systems. The backup [may have been] on the same network segment, probably with similar vulnerabilities/missing patches or common credentials. Through swift action, one would speculate that the infected systems were quickly disconnected from the network or powered off."

Judging by RavnAir's continued operations with all of its other aircraft, Munro said: "The incident was contained successfully, but without a primary or backup maintenance system, it wouldn't have been possible to dispatch Dash-8 flights."

RavnAir has been asked to comment.

The DHC Dash 8 is one of the world's most widely flown makes of turboprop airliner. RavnAir has a fleet of 10 Dash 8-100s, relatively small aircraft but with impressive short-field takeoff characteristics making them well suited to small, remote airstrips.

In the UK the Dash 8 is best known in its stretched Dash 8-Q400 configuration as flown by British airline Flybe, soon to rebrand as Virgin Connect after a £2.2m buyout last year. ®

Updated at 16:27 GMT on 3 January to add

De Havilland Canada has been in contact to tell The Reg it is "in contact with RavnAir and, if requested, is available to assist the authorities that are investigating the cyber attack that impacted RavnAir's IT network."

It added: "Based on the information currently available to us, the systems onboard the Dash 8 aircraft were neither the target of this incident nor affected by this incident. Our understanding is that this incident has impacted internal systems at the airline."

Similar topics

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading

Biting the hand that feeds IT © 1998–2022