Cyber Incident Victim: London City Airport

On or around July 18, 2023, London City Airport experienced a cyber incident that resulted in its website becoming inaccessible. The website went down shortly before 3:00 PM on that Wednesday afternoon. This outage coincided with an online claim of a hack by a pro-Russia group known as UserSec. The incident appeared to be part of a broader, coordinated campaign targeting UK airports, as a short while later, another group called Anonymous Russia claimed to have launched a similar attack on Birmingham Airport's website. However, at the time of the initial reporting, Birmingham Airport's website remained online and functional. A spokesperson for Birmingham Airport acknowledged the reports, stating that some people had reported the website was loading slowly that afternoon and that the issue was being investigated. The group Anonymous Russia posted a message online that read, "Anonymous Russia joins the attack on UK airport! Before your eyes, the sleeping international British airport Birmingham! Glory to Russia."

It remained unclear whether the hacking claims were genuine and if they would have any material impact on the actual functioning of the airports themselves. An examination of arrival and departure boards at the time suggested that services into and out of both London City and Birmingham airports were running smoothly without any reported disruptions to flight operations. The exact intention behind the claimed cyber attacks was also not clear, nor was the specific reason why UK airports were being targeted by these groups. This incident was not the first time London City Airport had been targeted. In May of the same year, the airport's website was hit with an error message that temporarily made the site inaccessible to users. On that previous occasion, a pro-Russian hacking group known as NoName claimed credit for the website issue. The problem was resolved a short while after it began.

The NoName group is a pro-Russian collective that first declared itself in March 2022. Since its emergence, the group has been responsible for blocking access to several other websites beyond UK airports. Their previous targets included the website of the French Senate, which they successfully disrupted in the spring prior to the airport incidents. Following the May incident, a spokesperson for London City Airport confirmed that the website was back up and running but acknowledged that access had been briefly restricted that morning and that the airport's IT team was investigating the issue. The broader context of these attacks involves heightened warnings from the UK government about the threat posed by Russian-aligned cyber actors. Back in April 2023, the government warned that Russian hackers were actively attempting to cause maximum damage to the UK's critical national infrastructure, which includes essential services like power stations.

Cabinet Office Minister Oliver Dowden stated that cyber attackers were specifically targeting vital energy plants in a bid to black out Britain. He addressed cyber security experts in Belfast, explaining that these adversaries are ideologically motivated rather than financially motivated. Dowden emphasized that disclosing this threat was not done lightly but was deemed necessary to ensure that companies understand the current risk they face and take appropriate action to defend themselves and the country. This warning underscored the serious and persistent threat landscape facing UK infrastructure from state-aligned or ideologically driven hacking groups. The incident at London City Airport in July fits into this pattern of ideologically motivated attacks aimed at causing disruption and drawing attention to their cause, even if the immediate impact was limited to website accessibility.

The method of attack used against London City Airport was not detailed in the available information, but the outcome was the temporary unavailability of its public-facing website. The claims made by groups like UserSec and Anonymous Russia suggest a distributed denial-of-service (DDoS) attack, which overwhelms a website with traffic to make it unreachable, though this was not explicitly confirmed. Such attacks are a common tool for hacktivist groups seeking to make a political statement or show support for a particular cause, in this case, pro-Russian interests. The timing of the claims, coinciding with the website outage, points towards these groups being responsible, but the exact attribution and veracity of their claims often remain difficult to confirm immediately following such events.

Furthermore, the UK had been a recent victim of other significant Russia-linked cyber attacks earlier that summer. In June 2023, thousands of UK-based workers were affected by a massive data breach. This attack targeted the payroll platform Zellis, which is used by hundreds of UK companies, including major organizations like British Airways, Boots, and the BBC. Zellis confirmed that eight companies had been affected by the breach but did not specify which ones. The payroll provider noted that it works with a third of the FTSE 100 companies and serves five million employees every month, indicating the potential scale of the breach. The hack was suspected to have links to a Russian-speaking cybercrime gang called Clop. This incident related to a flaw in a piece of software called MOVEit Transfer, which is used by thousands of companies globally to securely transfer files. Boots confirmed that the breach involved the personal details of some of its 50,000 staff members, although it was understood that bank details were not taken in that particular incident.

This data breach demonstrates a different facet of the cyber threat emanating from Russian-linked actors, one that is financially motivated and aimed at extracting valuable data, as opposed to the seemingly ideological motivation behind the airport website disruptions. The contrast between these two types of attacks—one aiming for disruptive spectacle and the other for data theft—highlights the multifaceted nature of the cyber threat landscape facing the UK. The incident at London City Airport, while causing minimal operational impact, served as a visible reminder of the persistent and evolving cyber threats faced by national infrastructure and businesses. The airport's IT team responded by investigating the issue, as was their protocol during the previous incident in May. The primary impact for users was the temporary inability to access flight information or other services provided through the airport's website, though flight operations continued unaffected. The incident was resolved, and the website returned to normal functionality, but it underscored the vulnerability of public-facing digital assets to politically motivated cyber campaigns.