LONDON – A high-tech cyberattack, which disrupted flights in some of the busiest airports in Europe early on Saturday, was a big shock to the world travel sector. One of the first to report system failures reported were Heathrow in London, Brussels Zaventem and Paris Charles de Gaulle where flights were grounded, check-in counters frozen and passengers were left in limbo.
By midday, the flight had been extended to large U.S. airports such as New York’s JFK or Chicago O’Hare, where most flights coming from Europe were being diverted or held for an indefinite period. The cybersecurity experts termed the attack as one of the most organized in modern times, and it targeted air traffic control systems, booking databases, and security measures.
Thousands of passengers – families on holiday, businessmen in a hurry to their business meetings and aid workers heading to crisis zones were stuck in terminals that became temporary holding points. The eyewitness stories created an image of mayhem: queues of people stretching through glass doors that were fogged, harassed employees handing out bottles of water, and angry shouts over occasional PA announcements.
This accident comes at an opportune time when the world is facing a risky level of connectivity, as global tensions escalated in the Indo-Pacific, or any form of hybrid warfare activities a few weeks ago, fueled the anxieties of the hybrid warfare to extend into civil infrastructure.
Although no party has taken credit, initial research indicates that it was either done by state-sponsored assassins, who may be associated with current geopolitical hot spots. The magnitude of the breach has led to emergency conferences among the EU leaders and the need to make a global response.
The Anatomy of the Assault
The cyberattack occurred during the pre-dawn hours when it flowed through the weaknesses of the outdated software utilised by Eurocontrol, which was the pan-European air traffic management agency. It is believed that hackers employed a combination of ransomware and distributed denial-of-service (DDoS) methods and started flooding networks with bad code, which made critical servers inoperable.
The first indicators appeared at Heathrow, the busiest international airport in the world by the number of passengers, at around 4 a.m. local time, when digital display flickered and went dead. Everything had simply ceased, said Maria Gonzalez, a Spanish tourist who was waiting to board a plane to Madrid. The boarding passes were not scanned at all, and the screens displayed some error messages in a loop.
It was a panic among people and they thought that it was a bomb threat. In minutes, the same news came in on all parts of the continent. At Brussels, the ground crews were using manual checklists written on clipboards, whilst at Charles de Gaulle, baggage handling systems were getting stuck and suitcases stacked one on top of another on the conveyor belt, which came to a dead stop.
The impacts were both short and long-lived. The Eurocontrol declared a ground stop on all departures throughout the continent, which had an impact on more than 1,200 daily departures. By eight am, the mess had extended to secondary airports in Amsterdam, Frankfurt, and Rome, where other airports empathetic to the situation, e.g. through connected system breakdowns, added to the crisis. British Airways, Lufthansa, and Air France are some of the airlines that were making tens of millions of dollars of losses in an hour, with the fuel being wasted in idling aircrafts on tarmac.
Cybersecurity company Mandiant, contracted by the authorities at the airports, made an early announcement stating that the attack was caused by a variant of the so-called ShadowPad malware, which has long been a part of advanced persistent threat activity in East Asia. It is not amateur hour, and that was the verdict of a spokesperson of Mandiant in a hastily organised virtual press conference.
The accuracy implies months of reconnaissance, not only of airports but also of the entire supply chain of the aviation software vendors. Non-state actors sponsored by hostile regimes are already being pointed at, but authorities have called on people to be careful to avoid causing premature speculation.
Passenger Plight and Economic Fallout
To the human cost, the number of affected passengers on the first day, approximately 500,000, is increasing. Airports became something like the beginning of the COVID-19 lockdown: families are sitting under blankets, children sketching on napkins, and senior travellers are seeking medical care in the face of the stress.
The British Red Cross stationed mobile clinics at Heathrow in London where they treated the cases of dehydration and anxiety attack. We have had full-grown men crying, said volunteer paramedic Tom Reilly. It takes more than the delay; it takes the uncertainty – are they going to get home? Will their jobs survive this?”
The viral videos of packed lounges and improvised camps in arrival halls were shared on social media. Such hashtags as EuroAirportBlackout and CyberSkyfall went viral and garnered millions of views. A video of Brussels depicting a crowd of desperate aid workers at Doctors Without Borders requesting priority boarding on other flights their shipment of medical supplies headed to a famine-stricken area in East Africa now rotting in unpowered cargo crates.
The stakes could not be any higher in terms of economics. According to the International Air Transport Association (IATA), the losses were estimated to be more than EUR2 billion ($2.2 billion) by the end of the week, including cancelled bookings, spoiled perishables in the cargo holds, and overtime pay to skeleton crews.
Economies reliant on tourism, such as Spain and Italy, which are already suffering the impact of summer wildfires, are dealt a savage blow. It would reduce EU GDP growth by 0.5 per cent in the quarter, which was a warning by economist Lena Vogel of the Bruegel think tank in Brussels. Stock markets opened sharply down, and airline shares fell 8-12 per cent, while cybersecurity firms such as Palo Alto Networks rose on the expectation of high-cost contracts.
In addition to financial resources in the short term, the attack reveals fundamental weaknesses in the global infrastructure’s resilience. The combination of national systems, which had been harmonized on EU directives but differed in their execution, was a weak point in Europe.
Here we are, we have spent billions in digital upgrades since WannaCry, yet now Thierry Breton, European Digital Commissioner, said in his Strasbourg statement. The event also revives the discussions on data sovereignty, and it is demanded to be air-gapped by putting critical systems and the internet physically apart.
Governments Mobilize Amid Geopolitical Shadows
When the sun came up over a congested Europe, governments jumped into action. In the UK, COBRA was convened at an emergency meeting led by Prime Minister Keir Starmer, who committed to offering ironclad support to affected airports and to give immediate relief in the form of EUR500 million.
It is an attack on our lifestyle, he said in Downing Street, and was flanked by Home Secretary Yvette Cooper. MI5 and GCHQ cyber teams were deployed to Heathrow to liaise with FBI representatives who were flown in from Washington.
On the other side of the Channel, French President Emmanuel Macron summoned his defence council and traced the attack to bigger hybrid threats of Russia and China. In an address delivered on television, he stated that we would not give hostages to saboteurs of our skies and declared that we would activate the cyber defence provision of NATO, marking the first time it would be used in a non-military sphere.
The Belgian authorities, who are in the middle of the crossfire, announced a national state of alert, and King Philippe tweeted with solidarity, which is not common with the monarch. The U.S. Federal Aviation Administration (FAA) issued transatlantic flight-diverting Notices to Airmen (NOTAMs), which relieved JFK and overloaded smaller airports in Boston and Philadelphia.
Secretary of Transportation Pete Buttigieg led a press conference, which partnered with allies regarding intelligence sharing. This, he said, they are considering as a possible pre-cursor to broader attacks, citing unconfirmed information that the rail networks of the United States are being contacted by bombing.
The political undertones of geopolitics cannot be neglected. Following closely after the intensified naval exercises in the South China Sea, the timing is a cause of suspicions of diversionary actions. The Russian state media rejected participation in typical dismissal, and the foreign ministry of Beijing demanded calm investigation without refuting the possibilities. Independent analysts, though, see parallels with the 2021 Colonial pipeline hack and predict a shift to the concept of strategic disruption, as opposed to actual destruction.
The G7 digital ministers, in a joint statemen,t described the act of irresponsibly endangering civilians as a curse and suggested an emergency summit in Ottawa next week. Meanwhile, Interpol had warned of increased alert in non-European centres, such as Dubai to Singapore, the connecting flights which have become bottlenecks.
Lessons Learned and Pathways to Recovery
It will not take a day to normalise things. Eurocontrol predicts full system reboots of between 48 and 72 hours, depending on whether or not the malware can be purged without loss of data. Airlines are chartering buses and trains on regional reroutes, and low-cost airline companies such as Ryanair are using vouchers in the midst of passenger lawsuits that are simmering in various jurisdictions.
The tech giants like Microsoft and Google have sent quantum-encrypted recovery teams, which use AI to trace intrusion vectors. To the aviation industry, it is a wakeup call that is even more deafening than a thunderstorm. Threats of terrorist acts gave place to cyber threats, industry leaders at the annual assembly of IATA last month had warned of such threats, and now the warnings have become a reality.
We must have an international air travel firewall and call upon the IATA CEO, Willie Walsh. Broken laws will not do against organised assailants. There have been proposals to use blockchain to authenticate all transactions and to require the vendors to have their penetration tests done at least once a year.
Passengers are making their own ways grimly. Real-time delay monitoring apps fail on traffic, yet there are communal Google Docs of hotel deals and shared ride offers. The crisis has brought forth some unlikely solidarities, in a silver lining, the most common one being a viral thread of travelers sharing stories in many languages, which transforms adversity into temporary global village.
And at night, with the mishandled day drawing to a close, the heavens around Europe are so oddly silent, with only the emergency helicopters shuttling officials. The financial cost of the cyberattack in terms of lost productivity, broken itineraries, and lack of trust will take weeks to materialise.
However, in its audaciousness, it reminds us of the ugly reality of the fact that there is really no border that helps to safeguard the commons today in the hyper-connected world. In the meantime, the millions are waiting, keeping an eye on radar scopes, for the first signs of recovery, with the hope that the next departure will not be in terror.
