Cyber Incident Victim: Hartsfield-Jackson Atlanta International Airport
Date:
Oct 2022
Location:
United States of America
Summary
A pro-Russian hacktivist group known as KillNet conducted distributed denial-of-service (DDoS) attacks targeting public-facing websites of multiple major U.S. airports, including Hartsfield-Jackson Atlanta International Airport. The attacks overwhelmed servers with artificial traffic, temporarily disrupting access to flight information and airport services such as wait time updates and bookings. While the Atlanta airport's website experienced downtime, it was restored without operational impacts to air traffic control, security systems, or flight operations. Similar disruptions affected other hubs like Los Angeles International Airport, Chicago O'Hare, and Denver International Airport, though all incidents were limited to superficial website outages. Cybersecurity authorities confirmed the attacks originated from within Russia but found no evidence of direct state involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 10, 2022, Hartsfield-Jackson Atlanta International Airport (ATL) experienced a cyber incident as part of a broader wave of distributed denial-of-service (DDoS) attacks targeting multiple U.S. airports. The pro-Russian hacktivist group KillNet claimed responsibility for these attacks, which began around 3:00 a.m. ET with initial targeting of LaGuardia Airport’s systems. By mid-morning, the attacks expanded to ATL and other major airports including Los Angeles International Airport (LAX), Chicago O’Hare International Airport (ORD), Denver International Airport (DEN), and Des Moines International Airport. KillNet utilized custom software to generate artificial web traffic, overwhelming public-facing airport websites and rendering them inaccessible. The group had pre-announced target domains on its Telegram channel, coordinating volunteer efforts to direct garbage requests at airport web servers. ATL’s website became unavailable during the attack but was restored by approximately 10:30 a.m. ET. The attacks exclusively impacted public web domains providing flight information, wait times, and congestion updates, with no penetration of internal airport networks, air traffic control systems, airline communications, or transportation security infrastructure.
The incident caused targeted “denial of public access” to informational websites, disrupting travelers’ ability to access real-time updates. Despite the high visibility of the outages, operational continuity at ATL and other airports remained unaffected, with no flight delays or cancellations attributed to the cyber activity. Denver International Airport reported ongoing attacks starting at 11:00 a.m. ET, though these were described as non-impactful. Cybersecurity engineers worked to mitigate the attacks by closing vulnerabilities and reinforcing critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and FBI monitored the situation, while airports shared threat intelligence through federal channels. KillNet’s motivations aligned with retaliatory actions against U.S. support for Ukraine, following prior attacks on European targets. U.S. officials, including Senator Chuck Schumer, acknowledged the group’s Russian affiliation but noted no evidence of direct Russian government involvement. The attacks highlighted the persistent risk of hacktivist disruptions to public services but demonstrated limited operational consequences due to the segregation of critical systems from targeted web domains.