Last year in December, the Indian government confirmed that several major airports in the country were targeted in a coordinated attack designed to destabilize flight operations through GPS spoofing. The attacks were carried out across major airports in Delhi (serving the National Capital Region and India’s busiest airport), Mumbai (India’s financial capital) and Bengaluru (the IT hub). Flight using GPS-based landing facilities reported GPS spoofing in the vicinity of these airports. In case of the IGI airport in Delhi, the spoofing signals were specifically targeting Runway 10.

In today’s blog post, we do a deep dive into this incident and bring out some interesting and unreported facts. But before we move forward, do not forget to check out our previous blog post on Rail cyber resilience in 2026: Leveraging the TS 50701 assessment, here.

Someone told me about this incident when I was at an event. While I wanted to do a short article on this topic immediately, I decided to wait till I had more information. So here we go.

The background

Last month, India’s Civil Aviation Minister informed the nation’s Parliament that flights landing at multiple airports in the country reported GPS spoofing while using GPS-based landing procedures. He specifically mentioned Runway 28/10 of the IGI Airport in Delhi (and this is an important aspect of this incident) while acknowledging that the airports of Delhi, Mumbai, Kolkata, Hyderabad, and Bengaluru were affected by the spoofing incidents. In case of IGI airport, the spoofing zone was within about 60 nautical miles (around 111 kilometres) from the airport’s perimeter. 

Rogue actors can use false GPS signals to mislead aircraft navigation systems about their actual position and altitude thus compromising navigational integrity. Unlike jamming where the signals are blocked, in spoofing, the rogue actor(s) replaces the genuine satellite signal with a fake one to mislead aircraft without raising an alarm. These fake signals can then mislead pilots or automated systems causing them to take wrong decisions based on wrong altitude, heading or direction data. This makes it a bit more difficult to detect a spoofing. In this instance, the airports impacted fell-back on back-up systems and initiated contingency measures to ensure secure operations and to avoid disruption.  

Incidentally, Runway 10 of IGI airport, Delhi was upgraded recently to Category III (CAT III) Instrument Landing System (ILS) designed to improve low visibility operations during winter months. The ILS essentially provides a horizontal (localizer) and vertical (glide slope) radio signals to guide an aircraft to land by aligning the aircraft and descent. This measure almost doubled the landing capacity of the runway from 15 to 30 aircraft per hour in low visibility conditions.  As of 2024, 6 airports in India have CAT III certified runways. And this becomes an important factor in amplifying the security issues connected with this incident.

ILS ground transmitters can also be spoofed by manipulating the radio signals. This can be done in 3 ways:

• Through an overshadowing attack: A high-power signal beamed by the rogue actor replaces the legitimate one entirely. This allows the attacker to control the navigation information being consumed in the cockpit.

• Single-tone attack: The rogue actor transmits just one of the 90 Hz or 150 Hz sideband tones at an appropriate amplitude. This interferes with the DDM calculation and causes the aircraft's instruments to show a false offset.

• Offset correction: Sophisticated attackers can also monitor the aircraft's position and continuously adjust their spoofed signals in real-time, subtly guiding the aircraft off the true course without triggering any immediate suspicion. 

Now lets come to the actual scenario or impact that the rogue actors may be working towards.

High risk scenario: Concurrent spoofing of CAT III and GPS signals

If a rogue actor manages to spoof both the CAT III ILS and GPS signals, an extremely high risk scenario will result that will eventually lead to complete breakdown of basic navigation systems and possibly a Controlled Flight Into Terrain (CFIT) accident (euphemism for crash). Such an attack essentially overrides every available redundancy and sets up a very high risk environment during a low visibility landing.

Such an attack can also maim the primary GPS and critical back up (in the form of ILS) disabling the aircraft system's ability to cross check navigational and terrain data and flag anomalies. The target aircraft may then follow an erroneous path without any warnings. It can bring the aircraft much closer to an incident involving the terrain or other aircraft leaving very little reaction time for the crew to respond to. This can result in catastrophic consequences.

Spoofed location or altitude can also create a situation wherein false alarms may be raised in the cockpit by the aircraft to overwhelm the crew who may then miss a genuine alert. Both these scenarios are very much within the realm of possibility and cannot be dismissed as a product of overthinking.  

Impact on flight crew and Air Traffic Control

• Extreme crew workload: Pilots especially on trans-continental flights could face a sudden influx of conflicting information and warnings from various systems. As mentioned earlier, this could drastically increase their workload and slow down their ability to react accurately during a critical phase of flight, such as approach or landing.

• Loss of situational awareness: The flight crew's ability to maintain awareness of their actual position and altitude could be severely compromised. This is especially true in low-visibility (CAT III) conditions where external visual cues are minimal.

• Air Traffic management disruption: ATC relies on radar and ADS-B data to maintain safe separation between aircraft. If multiple aircraft in a region are impacted simultaneously, ATC systems would be overwhelmed by inaccurate position reports, making deconfliction and providing radar vectors difficult and less efficient.

• Operational chaos: Most likely, the immediate result would be mandatory go-arounds, diversions to alternative airports, and significant air traffic congestion. If one or more aircraft is running low on fuel then the consequences could be tragic.    

In essence, spoofing both ILS and GPS signals can create a situation wherein the aircraft's primary and critical secondary navigation systems are compromised. It creates a significant safety risk that requires immediate reversion to basic, manual piloting skills and reliance on alternative, often less precise, conventional navigation aids like VOR/DME, which are increasingly being phased out. Such options may not even be available in case of a low visibility runway or a national emergency which the rogue actors can then use to their benefit.

Potential actors: Who could be behind this incident?

While the Wireless Monitoring Organisation (WMO) and CERT-In are still tracing the precise sources of the spoofing signals, the profile of potential actors in the aviation sector typically falls into four broad categories:

• State-sponsored APTs (Advanced Persistent Threats): This bunch includes sophisticated groups that work towards strategic sabotage or testing the resilience of a nation’s critical infrastructure and their hired hands.

• Chinese saboteurs: In April 2025, cargo aircraft belonging to Indian Air Force that were flying relief material to earthquake-hit Myanmar faced spoofing attacks. In that instance, China had allegedly supplied the spoofing equipment to groups inside Myanmar who used it to target IAF aircraft. In the recent past, China had also supplied similar equipment to Pakistan as well which is being extensively used by it across the Indo-Pak border and the Line of Control. Could such equipment have also been supplied to rogue actors across Indian cities that are hosting major airports?

• Geopolitical hacktivists: Ideologically motivated groups that use "digital blockades" to make political statements. Considering the scale of this incident and the lack of any claims, we can safely rule out the involvement of hacktivists in this incident.

• Cyber-criminal syndicates: There is very low likelihood of regular criminals indulging in such crimes but then again it is possible that the manpower required for such episodes were provided by them.

  
  

What was the real motive behind this incident?

In my opinion, this was a dry run to test a multi-airport strike on aviation navigation systems as part of a much larger plan. The rogue actor was trying to test the impact of a multi-city strike on the targeted systems and infrastructure. Further, the actor was also testing the quality of response from authorities to check what additional steps should be taken in the future to ensure that the impact of such a coordinated strike plays out at the maximum level possible causing the highest level of disruption.

It is clear that we haven’t reached the last chapter of this episode yet. The rogue actor involved may be waiting to strike again in a much larger manner at an opportune moment.     

The 2026 cybersecurity roadmap for airports everywhere

The response to these "navigation scares” has to be clear, precise and unambiguous.

·       The equipment supplied to these actors has to be seized and the rogue actors apprehended

·       Constant vigil has to be maintained across civilian airports to detect and locate the enabling equipment within a very short time period of them being activated

·       Conduct incident response drills to test the initiation of contingency measures

·       Explore countermeasures to jam any interference attempts

The clock is ticking. We need to act fast.

Reach out to us for a custom briefing on cyber threats.

Learn a bit more about Shieldworkz’ Incident response services

Test drive our OT security platform here.