Cyber Incident Victim: Los Angeles International Airport
Date:
Oct 2022
Location:
United States of America
Summary
A pro-Russian hacktivist group known as Killnet conducted distributed denial-of-service (DDoS) attacks against multiple major U.S. airports, including Los Angeles International Airport, temporarily disrupting public-facing websites that provided flight information and travel updates. The attacks overwhelmed servers with artificial traffic, causing intermittent outages or slow performance for airport sites such as Hartsfield-Jackson Atlanta, Chicago O'Hare, Denver International, and others, though no internal operational systems or flight-related infrastructure were compromised. Cybersecurity experts attributed the incident to Killnet, which had previously targeted Western entities supporting Ukraine, and confirmed the attacks were superficial, causing only public inconvenience without affecting air traffic control, security, or flight operations. U.S. authorities, including the FBI and Cybersecurity and Infrastructure Security Agency, monitored the situation while airport engineers worked to restore access and mitigate further disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 10, 2022, Los Angeles International Airport (LAX) experienced a cyber incident as part of a broader series of distributed denial-of-service (DDoS) attacks targeting multiple major U.S. airports. The attacks began around 3:00 a.m. Eastern Time when the Port Authority notified the Cybersecurity and Infrastructure Security Agency (CISA) about LaGuardia Airport’s system compromise. LAX’s public-facing website, FlyLAX.com, suffered partial disruption early that morning, with intermittent outages and slow response times affecting public access to airport wait times, congestion updates, and related services. The disruption was limited to portions of the website, with no compromise of internal airport systems such as air traffic control, airline communications, or transportation security infrastructure. LAX restored full website functionality shortly before 1:00 p.m. Eastern Time. Other airports, including Chicago O’Hare, Hartsfield-Jackson Atlanta, and Denver International, reported similar disruptions, with Denver experiencing ongoing attacks starting at 11:00 a.m. local time. The attacks involved overwhelming targeted web domains with artificial traffic to render them inaccessible, but they caused no operational disruptions to flights or safety systems.
The pro-Russian hacktivist group KillNet claimed responsibility for the coordinated attacks, leveraging custom software to generate fraudulent requests against airport websites listed on its Telegram channel. U.S. officials confirmed the attacker’s origin within the Russian Federation, though no direct evidence linked the activity to the Russian government. KillNet had expanded its focus to U.S. targets the prior week after previously attacking European nations supporting Ukraine, with this incident aligning with its retaliation against Western support for Ukraine following the Crimea bridge bombing. Engineers from affected airports worked to mitigate the attacks by closing vulnerabilities and reinforcing critical infrastructure, while CISA, the FBI, and the Transportation Security Administration (TSA) coordinated monitoring and information-sharing. Mandiant analysts characterized the attacks as superficial and temporary, emphasizing their limited impact despite high visibility. Hartsfield-Jackson Atlanta restored its site by 10:30 a.m. Eastern Time, while Denver Airport maintained partial functionality despite sustained attack attempts. No data breaches or persistent network compromises were reported across all affected airports.