July 28, 2020 By Claire Zaboeva 4 min read

The combination of lockdown measures, travel restrictions and stalling demand brought on by COVID-19 has caused an unprecedented collapse in the global air transport industry. Facing a projected loss of $84.3 billion in revenue and 32 million aviation-related jobs worldwide, nations are scrambling to provide much-needed financial support to sustain domestic airlines. As countries independently debut various government-guaranteed loans, subsidies and other financing instruments to keep their respective airlines afloat, the global air transport industry landscape appears to be fracturing along nation-state lines.

IBM X-Force Incident Response Intelligence Services (IRIS) anticipates the post-COVID-19 Aviation Cyber Threat Landscape will see a rise in state-sponsored cyber threat activity targeting industrial trade secrets, intellectual property and supply chain technology. It is highly likely nation-states, having directly invested in their domestic aviation space and demonstrated a proven history of targeting aviation and aerospace sectors, will increase cyber-enabled operations to gain commercial advantages to advance their domestic champions.

Airlines and adjacent partners face the effects of the current global health crisis and the oncoming state-based competition. We sound caution to the global aviation industry, their third-party partners and network defenders.

A High Value Target on Its Knees

The key role the global air transport industry plays in global trade, passenger travel and tourism makes the aviation industry critical to guaranteeing the economic security of many nations. This status presents a high-value target to state sponsored advanced persistent threat actors (APTs) which have historically conducted both industrial espionage and executed cyber-based kinetic attacks against the critical infrastructure of adversaries.

Today, with $123 billion in government aid poured into their preservation, governments will insist that their champions prosper. In the melee and distress of the ongoing pandemic, malicious cyber actors in their employ may find that the chaos presents an excellent opportunity to exploit security vulnerabilities in the wake of increased competition.

New Priorities to Match New Objectives

It is highly likely nation-states, with a track record of exploiting the aviation sector, will direct their cyber apparatus to harvest data important to the prosperity of their newly state-owned and supported airlines. These requirements likely include critical assets from long-term strategies and negotiation positions, unique business processes, company financials, R&D and supply chain data residing on corporate networks. In addition, foundational operational technologies and industry adjacent enterprises, which play a critical role in airline operations, may also emerge as high-priority targets.

Supply Chain

Nations have officially listed the aviation and aerospace industries as critical manufacturing centers for the economic and technological advancement of their state. Since at least 2012, malicious state-sponsored actors have sought to exploit various segments of contractors and subcontractors vital to the aviation supply chain. The illegal collection of industry technology has historically served as a means of cheaply and effectively acquiring technology to accelerate the advancement of their own domestic production. In the post-COVID arena, nations will place emphasis on strengthening their commercial industry by evolving their internal processes. Cyber-based collection against supply chains, from raw material and component suppliers to installation and maintenance providers, will provide a means of acquiring insight into fundamental processes and factors of production.

Operational Technology

Following the global crisis, other countries intent on relying on their own domestic technologies and components have elected to collect on operation technology in the form of industrial control systems  and supervisory control and data acquisition systems. These bedrock technologies are interspersed throughout critical airline systems to facilitate multiple processes, from baggage handling to energy supply management and runway lighting.


States who have targeted airlines as a means of collecting personally identifiable information may demonstrate a shift in tactics, techniques and procedures. Specifically, we may see a shift from compromising customer data or airline loyalty programs to facilitate global monitoring and surveillance to using access to gain insight into unique company policies or processes. This shift may allow for states to upstream into different company verticals or partner environments, as well as access other targets of interest that may help their national airlines stand against regional and international competitors.

Wild Card and Industry Adjacent Targets

Malicious state actors have intentionally disrupted industry adjacent targets which support the functioning of airline systems. Based on X-Force IRIS engagements, states have focused activity against airports and fuel suppliers which provide mission critical functions, interrupting operations and producing negative sequential effects throughout global airline operations. As pandemic-induced changes bring greater levels of state ownership, airlines especially flag carriers, will gain additional status as targets of iconic value whose disruption would have high impact on the target nation’s economic welfare. The downing or disruption of industry adjacent targets may provide a ‘softer’ or more accessible target for conducting network operations.

Greater Vigilance Required

According to the International Monetary Fund’s most recent World Economic Outlook, global growth is predicted to drop -4.9%, placing the impact of the lockdown greater than that of the Great Depression, and far outstripping the 2008 financial crisis. Now more than ever, state dependence on the airline industry makes cyber exploitation efforts by state actors more likely and, perhaps, more aggressive.

Now, is the time to prepare by doing the following:

  • Have an accurate, up-to-the-minute threat intelligence picture. It is among the best ways to stay apprised of threats and potential shifts in attack patterns.
  • Perform proactive threat hunting on network endpoints is crucial to detecting and preventing threats before they impact your network.
  • Join a community dialogue like the Aviation Information Sharing & Analysis Center.
  • Have a playbook to mitigate and remediate security threats are especially critical. Tabletop exercises led by incident response professionals can hone an airline’s response and recover from a cyber emergency.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today