Deciphering the cyberattack on major European airports: Who could be behind the incident and what was the intent?

The recent cyberattack on key European airports is another chapter in a series of attacks on critical economic infrastructure globally. As no actor has come forward to claim the attack, there are speculations being made about what happened and how. In this post, we try to unravel the threat actor behind this attack with evidence.   

To begin with, this ransomware attack was in the making for nearly 4 years. Since 2021, major European airports were being digitally reconnoitered by many threat actors some of whom with links to or reporting to state backed groups bent on crippling critical infrastructure. The high volume of probe attacks did lead to hackers gathering plenty of data to digitally profile airports across the region and that is where these attacks truly began.

So how did it all start?

In order to get to the bottom of these attacks one needs to understand the following factors in detail:

· Timing of the attacks on the 4 major European airports

· Choice of targets

· The events of the last four years that culminated in these attacks and

· Why no actor has claimed to be behind the incident

· Choice of ransomware

Now let’s examine each of these factors in detail in isolation and then put the pieces together.

The timing

This attacked happened right towards the end of Zapad-2025 a series of military exercises conducted by Russia and Belarus in Borisov training ground in Belarus.  The exercises, as per Russia, were conducted as a “defense response to a notional Western invasion”. Russia is openly conducting these exercises and then, just a week back, Russian drones breached NATO airspace Poland.

These two developments were not random isolated events. Instead, the blatant effort to probe NATO airspace and these cyberattacks could all be part of a master script connected to the Zapad-2025 exercises conducted by Russia in Belarus last week. The timing is just too obvious to be ignored. 

The choice of targets

Brussels, Berlin and Heathrow are among the busiest airports in Europe. Further, they are also strategically located in Europe and important from a mobility, economy and impact standpoint. Any attacks on these airports would naturally have a cascading effect on other airports in the region.

In addition, all three countries that host these airports are home to a significant US military presence in the region. There is the U.S. Army Garrison (USAG) Benelux based in Belgium and the UK is hosting almost 10,000 US military personnel, civilian staff and family members mostly stationed in bases such as  RAF Lakenheath, RAF Croughton, RAF Welford, RAF Fairford, RAF Feltwell, RAF Upwood, RAF Barford St John, RAF Blenheim Crescent, RAF Fylingdales, RAF Menwith Hill, RAF Mildenhall, RAF Alconbury and RAF Molesworth.

Lastly, Germany hosts almost 40 US Army installations covering as much as 5 of the 7 Garrisons US has deployed in Europe. Poland also has a significant US military presence but as we have seen earlier, Poland’s airspace was already breached a week ago.

Visual: US bases in EU

The events of the last 4 years

Shieldworkz researchers have been consistently reporting a rise in reconnaissance attacks on critical infrastructure in the region. Airports in Europe have been subject to enhanced digital surveillance since 2021.  This has been called out in the latest edition of our threat landscape analysis report.

Major airports in the region were also targeted during the peak Covid days. Such enhanced activity which has no sectoral parallels in the world indicates a long term threat actor interest in specific elements of critical infrastructure.

There was a reason behind these airports being monitored by Russian threat actors led by APT29 a threat actor conclusively affiliated to Russia's Foreign Intelligence Service (SVR). 

Why hasn’t any threat actor posted a claim yet?

As of Monday morning, no actor has claimed to be behind the incident. In fact there is absolute silence in cyberspace with hushed discussions on Telegrams. But no group has stepped forward and claimed responsibility for these attacks yet. An attack of this scale could have brought plenty of attention and publicity to any group and if it was a routine attack, the threat actor behind it would have spoken out immediately to gather headlines.

You may recollect that in the recent past, groups such as Scattered Spider(aka Sp1d3rhunters), [the shadowy group behind the Jaguar Land Rover cyber incident] have come forward and owned up cyberattacks within few hours, if not earlier. Such groups are often motivated by any and all types of publicity and often welcome any opportunity to claim the aftermath of any attack planned, influenced or executed by them. This has not been the case here and a lack of claim does offer the most significant clue yet to the nature of the group behind this cyberattack.

The threat actor behind the cyberattacks on European airports are not after publicity which means they are not an independent group but instead have some form of state affiliation. They wanted to pass on a message quietly.

The ransomware strain used in the attack also seems to be a unique and targeted one. It seems to have been crafted to cloak its original purpose as is often the case with ransomware that owe their origin to an APT group. The ransom part is just a cover to hide a more sinister purpose while sending an unambiguous geo-political message.

Putting the pieces together

When one adds up the scattered evidence, the conclusion becomes as clear as daylight in summer. This is an attack on critical infrastructure carried out by a state backed actor. As of now all fingers point to a possible Russian APT involvement. The fact that these attacks happened within 7-10 days of air space breaches and regional military exercises along with the lack of claim by any threat actor points and the sophistication of the attack are all indicators to back this claim.

Contrast this with the Jaguar Land Rover cyberattack where a claim was made by Scattered Spider(aka Sp1d3rhunters) within 48 hours of the attack being discovered.

No matter how you look at the attack, it is time to scale up defenses to improve security and put critical assets and networks out of reach of threat actors.

Talk to our cyber threat intelligence experts for a custom briefing.

Here’s a bit about our incident response capabilities.