Cyber Incident Victim: EUROCONTROL
Date:
Apr 2023
Location:
Belgium
Summary
The EUROCONTROL agency was targeted by a pro-Russia hacking group in a significant DDoS attack against its public website, causing interruptions to its web availability and external communications. The attack had no impact on European air traffic control or aviation safety, as critical operational systems were air-gapped and isolated from external networks. In response to the incident, airlines were advised to avoid filing flight plans through the affected online system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 19, 2023, the European Organisation for the Safety of Air Navigation, widely known as EUROCONTROL, came under a sustained cyberattack from pro-Russian hackers. The attack targeted the agency's public-facing website, causing significant interruptions to its availability and web services. A spokeswoman for the organization confirmed the attack began on that date. The agency promptly issued a public statement acknowledging the incident, attributing it to pro-Russian actors, and took steps to assure the public and aviation stakeholders that the attack had no impact on European air traffic control activities or aviation safety. This was because the critical operational systems responsible for air traffic management were not connected to external networks and were air-gapped, preventing any direct access by the attackers.
The attack was characterized by a senior EUROCONTROL official as a "heavy cyber battle." The primary impact was on the agency's communication capabilities, both internal and external. The disruption to the website and web availability was so severe that it impaired normal communication channels, forcing some staff to temporarily resort to using commercial communication tools to maintain operations. In response to the incident, EUROCONTROL advised airlines to avoid filing flight plans through its online system to prevent potential disruptions from the ongoing attack on its web infrastructure.
Expert analysis and public claims identified the pro-Russian hacking group Killnet as the most likely perpetrator of the attack. This attribution was based on messages published on the group's Telegram channel. On the evening of April 19, Killnet reportedly issued a call to action, announcing a "marathon" attack against EUROCONTROL that was intended to last for 100 hours. The group's message encouraged other hackers to participate in this sustained offensive. A further post shared by Killnet on Telegram, originating from a channel run by Russian military bloggers, provided a stated motivation for the attack, claiming EUROCONTROL was targeted because it supported Ukraine. The message stated the attack would cause "great discomfort" to all airlines in Europe.
The technical nature of the attack was a distributed denial-of-service (DDoS) campaign. This type of attack involves flooding a target's servers with an overwhelming volume of internet traffic, rendering the online services slow or completely unavailable to legitimate users. While this is a comparatively simple form of cyberattack, it can be highly effective in disrupting public-facing services and communications. The attack on EUROCONTROL's website successfully took it offline for periods during the offensive.
This incident was part of a broader pattern of cyber activity by the Killnet group, which has repeatedly used DDoS attacks as a form of hacktivism in response to Western support for Ukraine. Prior to the EUROCONTROL attack, the group had claimed responsibility for a series of DDoS attacks in February 2023 that targeted the websites of German airports, administration bodies, and banks. Those attacks were described as a response to the German government's decision to supply Leopard 2 tanks to Ukraine. In October of the previous year, Killnet had also claimed massive DDoS attacks that took down the websites of several major airports in the United States, including Hartsfield-Jackson Atlanta International Airport (ATL), Los Angeles International Airport (LAX), and Chicago O’Hare International Airport (ORD). Furthermore, in November 2022, the group claimed responsibility for a DDoS attack that disrupted the website of the European Parliament.
The attack on EUROCONTROL heightened existing fears within Europe about the vulnerability of its critical infrastructure to cyber threats stemming from the war in Ukraine. There was a growing concern that Russia could escalate its cyber campaigns to target parts of the European transportation, communication, and energy infrastructure. EUROCONTROL plays a central role in European aviation, working to achieve safe and seamless air traffic management across the continent. The international organization, which has 41 member states, is delegated parts of the EU's Single European Sky regulations and works with national authorities, air navigation service providers, airports, and civil and military airspace users for the coordination and planning of air traffic control for all of Europe. Despite the operational systems remaining secure due to their isolated nature, the attack demonstrated the potential for cyber operations to cause disruption to supporting services and communications of a critical agency. The incident served as a significant event in the ongoing cyber dimension of the wider geopolitical conflict.