Digital Flight Paths: An Analysis of Cyber Threats in Aviation

The recent cybersecurity incidents involving Qantas, Hawaiian Airlines, and WestJet highlight that the threat to the aviation industry remains both severe and immediate. These breaches, often rooted in third-party vulnerabilities and sophisticated social engineering tactics, expose millions of passenger records and disrupt critical services. Additionally, major IT outages such as the one affecting Alaska Airlines on 21 July 2025 and the widespread disruption at Delta Airlines last year underscore the aviation sector's deep reliance on interconnected digital systems. Even non-malicious events can cascade into operational paralysis, affecting flights, passengers, and reputations. 

The report will outline our understanding of a cybersecurity incident, identify the three most prominent threat actors commonly observed in this domain, and highlight the most essential cybersecurity basic hygiene practices necessary to reduce risk and enhance protection. While insider threats remain a critical concern, they will be considered out of scope for the purposes of this analysis.

What is a cybersecurity incident?

A cybersecurity incident is an event, often driven by malicious intent, that compromises the confidentiality (C), integrity (I), or availability (A) of information or systems.

Examples of cybersecurity incidents in the aviation sector are:

• A hacker breaches an airline’s passenger database and steals personal information.

• A ransomware attack encrypts airport operational systems and demands payment.

• An employee accidentally clicks a phishing link, allowing access to the sensitive data of a company.

• DDoS attacks flood an airport’s website during geopolitical tensions, making it inaccessible to customers.

Each incident carries a distinct type of impact, affecting different aspects of the CIA triad. What these examples demonstrate is that, despite existing security controls and mitigation strategies, threat actors continue to find ways to bypass defenses and cause real disruption. This highlights that organizations should not only focus on preventing cyber incidents (resilience), but must also invest in response readiness when an incident actually occurs.

Threat Actor: Cybercriminals

Cybercriminals are financially motivated. They target organizations that handle large volumes of data or revenue, like airlines and airports, aiming for quick monetary gain through ransomware, data theft, or fraud. Political or ideological factors are typically irrelevant to their goals. 

The aviation industry has become an increasingly attractive target for cybercriminals, largely due to its growing profitability and global reach. As revenues continue to soar, so too does the incentive for malicious actors seeking financial gain.

Scattered Spider, also known as UNC3944, Starfraud, Scatter Swine, or Muddled Libra, is a financially motivated cybercriminal group operating mainly from the US and UK.  They have targeted major airlines and airport service providers, causing significant operational outages, delays, and compromising passenger data. Their modus operandi often involves impersonating employees or contractors to deceive IT help desks, bypass multi-factor authentication controls, and gain initial access to airline networks and third-party vendors. The group’s ability to tailor phishing campaigns with AI-generated deepfake voices or realistic spear-phishing messages has raised the bar on social engineering threats.

Ransomware remains one of the most aggressive and damaging forms of cybercrime affecting the aviation sector. These attacks typically involve encrypting critical systems or stealing sensitive data, followed by demands for ransom payments to restore access or prevent public exposure. While the notorious 2023 LockBit ransomware attack on Boeing's parts and distribution business is a well-known example, the threat has only grown. More recent incidents, such as the ransomware attack on AerCap and the Rhysida ransomware attack that crippled operations at Seattle–Tacoma Airport in 2024, demonstrate how both direct aviation operators and supporting infrastructure remain high-value targets.

Threat actor: (H)activists

Hacktivists, or cyber activists, are driven by ideology. Their attacks are meant to send a political or social message, often in response to specific events or policies. Aviation, as a high-visibility sector, can be a symbolic target to draw global attention to their cause.

One of the most notorious hacktivist groups currently active is NoName057(16), a pro-Russian collective known for launching politically motivated cyberattacks. Among their many operations, they target aviation infrastructure as a form of protest against foreign policies and to demonstrate digital allegiance to national agendas. In 2025, the group claimed responsibility for a DDoS (Distributed Denial-of-Service) attack on Atlanta Hartsfield-Jackson International Airport. The attack temporarily disrupted online services and public access to key airport systems, aiming to send a geopolitical message amid heightened global tensions. This incident was just one in a series of attacks. However, such attacks are often limited in technical complexity and the impact is much lower than attacks intended by cyber criminals. Nevertheless, it can still result in somewhat of operational disruption, and strained public confidence, especially when timed with geopolitical flashpoints.

Threat actor: Nation states

Nation-state actors operate with strategic, long-term objectives aligned with national interests. They target aviation through advanced persistent threats (APTs). These attacks are often highly sophisticated and difficult to detect. State-linked cyber actors from Russia, China, Iran, and North Korea each pose distinct threats to the aviation sector, shaped by their strategic priorities. 

Russian-affiliated groups are primarily engaged in cyber espionage, aiming to collect intelligence and to potentially disrupt infrastructure in adversarial countries. Chinese APTs have a long history of industrial espionage, with a focus on stealing intellectual property related to aircraft design, engineering and maintenance processes, avionics software, and advanced materials information that can accelerate both commercial and military (aerospace) programs. Iranian state-sponsored actors present a unique threat to Western aviation, driven more by political and surveillance objectives than by financial or industrial gain. One of their key interests lies in accessing passenger data from airlines and travel systems to monitor political dissidents and individuals of strategic interest. North Korean APTs operate largely to sustain the regime’s strategic ambitions, combining cyber espionage with financially motivated attacks and disruptive operations aimed at adversaries.

What to do?

At a minimum, every organization in the aviation sector must take foundational steps to prepare for and mitigate cyber threats. First, identify the most critical systems, data, and processes that, if compromised, would have the greatest operational, financial, or reputational impact. Effective risk management must be in place to assess vulnerabilities, prioritize assets, and align protective measures accordingly. Organizations should also have crisis response plans and escalation procedures in place, regularly tested through exercises, and clearly communicated to all relevant teams to ensure swift and coordinated action when an incident occurs. In the case of ransomware, it is essential to define policies in advance, including positions on ransom payments. 

For organizations without internal cybersecurity expertise, it is vital to outsource to trusted partners. Ask the right questions, demand transparency, and ensure service providers understand the specific risks and requirements of the aviation industry. Proactive preparation today can significantly reduce the impact of tomorrow’s incident.