Cyber Incident Victim: Split Saint Jerome Airport
Date:
Jul 2024
Location:
Croatia
Summary
A ransomware attack by the Akira group targeted Split Saint Jerome Airport, severely disrupting IT systems and forcing manual processing of flight and passenger data, leading to significant delays and cancellations. Operational impacts included temporary website unavailability and prolonged manual procedures, straining staff during peak tourist season. Croatian authorities confirmed collaboration with Europol, the FBI, and other agencies to isolate the attackers' geolocation while refusing negotiations, emphasizing recovery efforts to rebuild systems from scratch without paying the ransom demand.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberattack on Split Saint Jerome Airport commenced on July 22, 2024, at approximately 19:30, when initial IT system malfunctions disrupted flight acceptance and departure procedures. Manual data processing enabled the airport to manage outgoing flights to Zürich, Zagreb, Paris, Stuttgart, Munich, Oslo, Stockholm, Bergen, Tallinn, London Gatwick, and London City that evening. By the morning of July 23, Assistant Director Pero Bilas publicly confirmed the incident as a targeted hacker attack, noting technical teams were intensively working to mitigate consequences while coordinating with airlines for alternative solutions. Passenger check-ins proceeded manually throughout the morning, causing significant delays and operational strain, though inbound flight operations remained unaffected. Transport Minister Oleg Butković emphasized the system had not been restored to pre-attack functionality, requiring labor-intensive manual processes during peak tourist season, with the airport handling 10% more passengers than the previous year and double Zagreb Airport's summer traffic volume.
At approximately 15:00 on July 23, Airport Director Lukša Novak identified the perpetrators as ransomware group "Akira," who demanded payment for decryption keys while issuing threats via system messages. Novak reiterated the Croatian government's policy against negotiating with cybercriminals and disclosed ten specialists had worked overnight to implement legacy manual processing methods for passenger and aircraft data, relying on airline-submitted passenger lists. Interior Minister Davor Božinović classified the incident as ransomware, confirming collaboration with Europol, FBI, and other international agencies while noting geolocation tracking of the attackers. Direct operational impacts included four canceled and 77 delayed flights on July 22, followed by three cancellations and 42 delays by 16:00 on July 23. The airport's website remained inoperative during the incident, compounding passenger communication challenges amid sustained recovery efforts.