Cyber Incident Victim: École nationale de l'aviation civile
Date:
Mar 2022
Location:
France
Summary
The École Nationale de l’Aviation Civile suffered a ransomware attack attributed to the Hive group, causing severe operational disruptions. Critical digital services became inaccessible, returning errors indicating potential system disconnections or encryption, while physical campus access and scheduled flights were impacted. Communication channels were largely paralyzed, with most phone lines redirected to a single point, though some email functionality remained. Attackers initially demanded $1.2 million in bitcoin, later doubling the ransom demand. The institution collaborated with aviation authorities to manage the incident and advised partners to isolate from its systems, though technical interconnections with related aviation entities were noted. The attack significantly hindered administrative and educational operations across the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The École Nationale de l’Aviation Civile (ENAC) experienced a significant ransomware attack during the weekend of March 12, 2022, which severely disrupted its operations. Initial indications emerged when a since-deleted tweet hinted at the incident, followed by observable system outages across multiple digital services. By March 16, ENAC’s communication department confirmed the ransomware’s involvement, noting extensive disruptions that impaired physical access to campus sites and scheduled flights. Technical symptoms included widespread unavailability of critical platforms: campus digital services and the HDA activity management application returned HTTP 503 errors (service unavailable) or maintenance pages, while other systems generated 404 errors (not found), suggesting storage disconnections or potential encryption. Remote access systems failed entirely, and internal phone infrastructure collapsed, routing all fixed-line calls to a single endpoint. Some professional email addresses remained functional, but repeated attempts to contact ENAC’s communication team via phone and email were unsuccessful.
The attackers deployed the Hive ransomware, with their initial ransom demand set at $1.2 million in bitcoin, communicated via a dedicated dialogue interface by March 19. This demand escalated to $2 million on March 20 after the threat actors criticized a researcher’s actions. ENAC coordinated with partners to isolate their systems from ENAC’s compromised infrastructure, while the Direction Générale de l’Aviation Civile (DGAC) provided incident management support. Investigators noted a potential network link between an ENAC-associated IP address and systems belonging to the DSNA’s Direction de la Technique et de l’Innovation (DTI), though the extent of this interconnection remained unclear. The attack’s operational impact was profound, affecting administrative functions, campus logistics, and flight operations, prompting preparations for a public statement to address the situation. Recovery efforts focused on containment and assessing the scope of encrypted or disabled systems, though specific technical remediation steps were not disclosed in available reports.