The combination of lockdown measures, travel restrictions and stalling demand brought on by COVID-19 has caused an unprecedented collapse in the global air transport industry. Facing a projected loss of $84.3 billion in revenue and 32 million aviation-related jobs worldwide, nations are scrambling to provide much-needed financial support to sustain domestic airlines. As countries independently debut various government-guaranteed loans, subsidies and other financing instruments to keep their respective airlines afloat, the global air transport industry landscape appears to be fracturing along nation-state lines.

IBM X-Force Incident Response Intelligence Services (IRIS) anticipates the post-COVID-19 Aviation Cyber Threat Landscape will see a rise in state-sponsored cyber threat activity targeting industrial trade secrets, intellectual property and supply chain technology. It is highly likely nation-states, having directly invested in their domestic aviation space and demonstrated a proven history of targeting aviation and aerospace sectors, will increase cyber-enabled operations to gain commercial advantages to advance their domestic champions.

Airlines and adjacent partners face the effects of the current global health crisis and the oncoming state-based competition. We sound caution to the global aviation industry, their third-party partners and network defenders.

A High Value Target on Its Knees

The key role the global air transport industry plays in global trade, passenger travel and tourism makes the aviation industry critical to guaranteeing the economic security of many nations. This status presents a high-value target to state sponsored advanced persistent threat actors (APTs) which have historically conducted both industrial espionage and executed cyber-based kinetic attacks against the critical infrastructure of adversaries.

Today, with $123 billion in government aid poured into their preservation, governments will insist that their champions prosper. In the melee and distress of the ongoing pandemic, malicious cyber actors in their employ may find that the chaos presents an excellent opportunity to exploit security vulnerabilities in the wake of increased competition.

New Priorities to Match New Objectives

It is highly likely nation-states, with a track record of exploiting the aviation sector, will direct their cyber apparatus to harvest data important to the prosperity of their newly state-owned and supported airlines. These requirements likely include critical assets from long-term strategies and negotiation positions, unique business processes, company financials, R&D and supply chain data residing on corporate networks. In addition, foundational operational technologies and industry adjacent enterprises, which play a critical role in airline operations, may also emerge as high-priority targets.

Supply Chain

Nations have officially listed the aviation and aerospace industries as critical manufacturing centers for the economic and technological advancement of their state. Since at least 2012, malicious state-sponsored actors have sought to exploit various segments of contractors and subcontractors vital to the aviation supply chain. The illegal collection of industry technology has historically served as a means of cheaply and effectively acquiring technology to accelerate the advancement of their own domestic production. In the post-COVID arena, nations will place emphasis on strengthening their commercial industry by evolving their internal processes. Cyber-based collection against supply chains, from raw material and component suppliers to installation and maintenance providers, will provide a means of acquiring insight into fundamental processes and factors of production.

Operational Technology

Following the global crisis, other countries intent on relying on their own domestic technologies and components have elected to collect on operation technology in the form of industrial control systems  and supervisory control and data acquisition systems. These bedrock technologies are interspersed throughout critical airline systems to facilitate multiple processes, from baggage handling to energy supply management and runway lighting.

Upstreaming

States who have targeted airlines as a means of collecting personally identifiable information may demonstrate a shift in tactics, techniques and procedures. Specifically, we may see a shift from compromising customer data or airline loyalty programs to facilitate global monitoring and surveillance to using access to gain insight into unique company policies or processes. This shift may allow for states to upstream into different company verticals or partner environments, as well as access other targets of interest that may help their national airlines stand against regional and international competitors.

Wild Card and Industry Adjacent Targets

Malicious state actors have intentionally disrupted industry adjacent targets which support the functioning of airline systems. Based on X-Force IRIS engagements, states have focused activity against airports and fuel suppliers which provide mission critical functions, interrupting operations and producing negative sequential effects throughout global airline operations. As pandemic-induced changes bring greater levels of state ownership, airlines especially flag carriers, will gain additional status as targets of iconic value whose disruption would have high impact on the target nation’s economic welfare. The downing or disruption of industry adjacent targets may provide a ‘softer’ or more accessible target for conducting network operations.

Greater Vigilance Required

According to the International Monetary Fund’s most recent World Economic Outlook, global growth is predicted to drop -4.9%, placing the impact of the lockdown greater than that of the Great Depression, and far outstripping the 2008 financial crisis. Now more than ever, state dependence on the airline industry makes cyber exploitation efforts by state actors more likely and, perhaps, more aggressive.

Now, is the time to prepare by doing the following:

• Have an accurate, up-to-the-minute threat intelligence picture. It is among the best ways to stay apprised of threats and potential shifts in attack patterns.
• Perform proactive threat hunting on network endpoints is crucial to detecting and preventing threats before they impact your network.
• Join a community dialogue like the Aviation Information Sharing & Analysis Center.
• Have a playbook to mitigate and remediate security threats are especially critical. Tabletop exercises led by incident response professionals can hone an airline’s response and recover from a cyber emergency.