Cyber Incident Victim: Hamburg Airport
Date:
May 2024
Location:
Germany
Summary
A pro-Russian hacker group known as Just Evil/Kill Milk targeted Hamburg Airport's IT infrastructure, claiming unauthorized access to secured areas and posting screenshots of a control panel and surveillance camera feeds as evidence. The airport confirmed an attack on an externally hosted system used for monitoring security patrol documentation, clarifying it was isolated from core operations and resulted in no compromise of safety-critical data or disruption to air traffic. The group, allegedly led by Russian national Nikolai Serafimov and linked to activities like DDoS attacks and prior geopolitical cyber campaigns, failed to exfiltrate sensitive information despite their claims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 19, 2024, Hamburg Airport experienced a cyberattack claimed by the pro-Russian hacker group Just Evil/Kill Milk. The group announced via its Telegram channel that it had gained access to secured areas of the airport’s premises, posting images purportedly showing a control panel interface, surveillance camera feeds, and a cryptic list of attack results as evidence. Initial reports raised concerns due to the airport’s status as critical infrastructure (KRITIS). The Hamburg Airport press office confirmed the attack targeted an IT system externally hosted by a third-party service provider, which was solely used for monitoring and documenting security patrol rounds. Airport authorities emphasized this system operated independently without connections to other airport networks or operational technology. They stated the attack was successfully repelled, with no compromise of safety-critical information or disruption to air traffic.
The incident highlighted Kill Milk’s evolving tactics under its alleged leader, Russian national Nikolai Serafimov, who is also linked to the notorious group Killnet. Prior activities included operating DDoS-for-hire services through the "Black Listing" platform and targeting entities like Lockheed Martin in 2022 over U.S. military aid to Ukraine—a shift from their typical DDoS campaigns to more intrusive attacks. Hamburg Airport’s containment relied on the isolated nature of the breached system, preventing lateral movement to core infrastructure. No data theft or operational impacts occurred, and the airport maintained normal flight schedules throughout the incident. Just Evil/Kill Milk’s claims of broader access remained unverified, with forensic analysis confined to the third-party patrol documentation system.