Cyber Incident Victim: Nuremberg Airport
Date:
Feb 2023
Location:
Germany
Summary
German airports experienced widespread website disruptions due to distributed denial-of-service (DDoS) attacks, rendering their online services temporarily inaccessible while leaving other critical operational systems unaffected. The incident, attributed to pro-Russian hacktivist group Killnet, followed prior similar cyber campaigns targeting the country's infrastructure in retaliation for military support sent to Ukraine. An ADV airport association official confirmed the nature of the attack, noting no impact beyond website outages, and administrators identified anomalous malicious traffic patterns as the cause despite earlier unrelated IT failures at another location causing passenger delays.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 16, 2023, multiple German airport websites experienced disruptions diagnosed as distributed denial-of-service (DDoS) attacks following signs of anomalous activity the prior day. The attacks specifically targeted public-facing airport websites, rendering them inaccessible to users during the incident. Ralph Beisel, chief executive of Germany's ADV airport association, publicly confirmed the cyberattacks, clarifying that core operational systems such as flight coordination and baggage handling remained unaffected. This incident occurred amid preexisting strain on aviation infrastructure after an unrelated February 15 Frankfurt Airport IT failure disrupted Lufthansa's schedules, causing widespread passenger delays. Airport administrators from facilities like Dortmund identified anomalous traffic patterns inconsistent with natural website overloads, leading technical teams to initiate investigations while maintaining public-facing system functionality. Security personnel observed no evidence of data breach or malware deployment beyond the volumetric website disruptions.
The pro-Russian hacktivist group KillNet claimed responsibility for the attacks via its Telegram channel on February 16, framing them as retaliation against Germany's decision to supply Ukraine with Leopard 2 tanks. This echoed prior KillNet campaigns against German infrastructure, including a January 2023 wave targeting airport websites, banks, and government portals following Germany's initial tank shipment commitments. The group's operational methodology consistently employed DDoS attacks to generate service disruptions rather than data theft or system infiltration. According to infrastructure administrators, recovery efforts focused on filtering malicious traffic and restoring standard website operations, with full functionality returning within hours of initial disruption detection. Impact analysis confirmed no flight cancellations or safety-system compromises stemming solely from the website outages, though the incident highlighted recurring vulnerabilities in publicly accessible aviation information portals. The attacks occurred concurrently with heightened geopolitical tensions surrounding Western military support for Ukraine, mirroring KillNet's October 2022 disruption of U.S. airport websites under similar protest motivations.