As part of its investigation, the Port of Seattle, which operates Seattle-Tacoma International Airport in the city, has determined that the Rhysida ransomware gang is responsible for the cyberattack that allowed it to reach its systems last month, causing travel delays for travellers.
There has been a ransomware attack targeting the Port of Seattle as early as Friday, the Port announced in a statement.
As a result of the attack, which happened on August 24, the Port (which is also responsible for operating Seattle-Tacoma International Airport) announced that "certain system outages have indicated a possibility of a cyberattack."
It is important to note that the SEA Airport and its associated facilities remained open after the storm, but passenger displays, Wi-Fi, check-in kiosks, ticketing, baggage, and reserved parking were impacted, as well as the flySEA application and the Port website.
According to a press release that was released on September 13, the Port reported that most of the affected systems had been restored within a week of the attack taking place. As of yet, the Port of Dusseldorf has not been able to relaunch the external website or the internal portals that were offline after securing the impacted systems and finding no signs of additional malicious activity.
As far as Port systems were concerned, this incident was a "ransomware" attack by Rhysida, a criminal organization that specializes in cybercrime. Since that day, no new unauthorized activity has been conducted on those systems. In a press release, they stressed that it was safe to fly to Seattle-Tacoma International Airport and use the port's maritime facilities.
During this time, the Port's decision to take systems offline was accompanied by the ransomware gang's encryption of the ones that were not isolated in time, resulting in a series of outages impacting a variety of services and systems, including baggage, check-in kiosks, ticketing, wireless Internet, passenger display boards, the Port of Seattle website, flySEA app, and reservations.
A ransomware attack believed to have been launched by the Rhysida hacker group can be blamed for encrypting some of the data on the Port's computer systems using the ransomware. It was the result of this encryption and the Port's response to isolate the impacted systems as soon as possible that there were delays at the Sea-Tac Airport with baggage services, check-in kiosks, ticketing, Wi-Fi, displays, the Port's website and the flySEA app having issues.
The majority of these issues have since been resolved; however, the airport's website and internal portals remain down as of this writing, as stated in an update posted by the Port of Los Angeles.
In the wake of the cyber attack at the airport, the Port of Los Angeles is still unsure exactly how much or what kind of data was taken by the attackers, but the Port cannot afford to pay the ransom demand. There are no details about what kind of data have been compromised in the attack; however, the data may likely be of great value due to the sector of the business in which the agency operates.
There is also another reason that the Port of Seattle is such a hotbed of automation and machine learning technologies, which means it's a goldmine for attackers in terms of data.
In the world of ransomware, Rhysida is one of the more well-known gangs, especially for the way they target organizations that run critical systems for which downtime is not an option.
A hacker group known as the Black Hat Network has in the past targeted healthcare organizations such as the Lurie Children's Hospital and Prospect Medical Holdings as targets. As of May 2024, the number of patients affected by this massive data breach had increased from a few hundred to nearly a million. The company claimed that the Singing River ransomware attack occurred in September 2023.
In addition to educational institutions and the manufacturing industry, the HHS Health Sector Cybersecurity Coordination Center has also reported that the group has targeted the Chilean army, as well as universities and hospitals, according to the report. Health and Human Services (HHS) in the United States has implicated Rhysida in an attack against healthcare organizations in the country.
As CISA and the FBI made their warnings at the same time, different industries and sectors of society were being targeted by opportunistic attacks by this cybercrime gang at the same time.
In November, Rhysida ransomware operators successfully breached Insomniac Games, a subsidiary of Sony, and subsequently leaked 1.67 TB of confidential documents on the dark web. This occurred after the game development studio declined to meet the group’s demand for a $2 million ransom.
Rhysida's affiliates have also been involved in attacks on several other high-profile organizations. The City of Columbus, Ohio, MarineMax (the world's largest retailer of recreational boats and yachts), and the Singing River Health System have all fallen victim to this ransomware group. In particular, Singing River Health System reported that almost 900,000 individuals were notified of a data breach resulting from an August 2023 ransomware attack, in which sensitive personal information was compromised.