20 Apr What to learn from the SAS hack?
What is the SAS hack?
Scandinavian Airlines (SAS) was the victim of a cyber attack on Feb. 14, 2023. The hack caused the website and the mobile application to be down for hours. In addition, for several hours after the systems came back online, it was possible for customers to view other customers’ data, including credit card information, booking dates and address information.
Who was the attacker behind the SAS hack and what is their motive?
We can imagine that for most employees and customers of SAS (or any other airline), it’s not that important to know who the attacker was. From a security team’s perspective however, it is crucial to know, as we often see certain attack groups targeting specific industries. This way, they can specialize and improve their attacks every time.
The group that claimed the hack on SAS is called ‘Anonymous Sudan‘ this group claims they are known to carry out attacks with a politically colored motive, in this case it was ‘climate driven’. In the security industry these groups are known as ‘hacktivists’ or ‘hacktivists’. The specialty of this group is using DDoS attacks. These are attacks that cause the victim’s systems to be (temporarily) unusable.
For hours no new tickets were sold and systems were unusable. This definitely had impact and resulted in financial damage for SAS as well. From the perspective of ‘Anonymous Sudan’, the attack certainly was a success.
What can we learn from the SAS hack?
After the attack, SAS immediately published a statement, which is great. At the same time, their statement somewhat downplays the attack by stating that no other data was stolen and that they’re reassuring passengers that the stolen data doesn’t hold anything of use.
The latter in particular is a risky statement because SAS hasn’t fully completed their investigations and cannot guarantee that the data fell into the wrong hands.
Could another airline become a victim?
Of course, this can happen to another airline as well. However, you can minimize the chancers hackers become successful by:
- Keeping associate airlines around the world well informed about what’s going on in terms of cyber.
- Continuously monitoring systems for ‘suspicious traffic flows’.
- Reporting suspicious activity immediately to the appropriate (security) department.
- DDoS attacks are often accompanied by slow or inaccessible systems. That’s why reporting them to the appropriate department is crucial.
It’s important to note that hackers often use the inattention of employees to successfully carry out their attacks.
How can users recognize DDoS attacks?
As a user, you may notice that the internet connection is slow or unresponsive. Next to this, the device you’re working on could have trouble accessing websites, online services and business applications. These could be signs of a possible DDoS attack (Distributed Denial of Service).
You can also check if other users are experiencing the same issue(s). If you suspect a DDoS attack has been initiated, it is important not to click on suspicious links or download files from unknown sources, as these may be part of the attack. When in doubt, report your suspicions immediately to the appropriate department.
If you are unsure which department this is, it’s important to find out as soon as possible. In most cases, you can get this information from your support department or the IT helpdesk.
Security teams should always try to identify who is behind an attack because certain attack groups may target specific industries.
Airlines can minimize the chances of an attack being successful by keeping an eye on what is happening at competitors or partners. It is also important that colleagues know what suspicious activity is and to which department they need to report this.