Cyber-attack targets Japan Airlines
KEY EVENTS
▪ In the morning hours of 26 December 2024, Japan Airlines (JAL) was hit by a DDoS cyber
attack. The problem started when the company’s network connecting internal and external
systems began malfunctioning, specifically related to the luggage check-in system. Japan
Airlines is Japan’s second largest carrier.
▪ In response, the airline temporarily suspended
all domestic and international ticket sales for the rest of the day. By the evening, the airline announced that 27 December flights were scheduled to operate as normal. The attack resulted in a delay of 24 domestic flights for more than 30 minutes. Japan Post Co. reported that both mail and parcel deliveries were also affected by the flight disruptions.
▪ The airline identified the cause as an attack intended to overwhelm the network with massive
transmissions of data, which is a Distributed Denial of Service(DDoS): An attack that floods a
system or network with traffic until the target cannot respond or crashes.
▪ According to Japan Airlines, the carrier was able to stop the attack and restore its systems
hours later. The attack did not involve a virus or cause any customer data leaks. Flight safety
was not impacted.
▪ This is not the first time concerns have been raised regarding Japan’s cybersecurity,
particularly as the nation is taking steps toward boosting its defense capabilities and
tightening relations with the United States and other Western allies.
In June 2024, it came to light that the Japan Aerospace Exploration Agency (JAXA) had been
targeted in a series of cyber attacks over the course of the previous year. While no sensitive
data was obtained by the hackers, the agency has begun an investigation to determine the
scope of the damage caused by the attacks and taken measures to shut down the systems
that may have been involved in the incidents.
In July 2023, the Port of Nagoya, which is responsible for roughly 10 percent of Japan’s total
trade volume and a key hub for Toyota Motor Corporation’s car exports, was targeted in a
crippling ransomware attack that paralyzed operations at the container terminal for three
days.
INSIGHTS
▪ The incident clearly demonstrates that the aviation domain remains an attractive target for
cyber adversaries. Furthermore, as airlines become increasingly reliant on technology, the
risk of cyber threats continues to increase.
An 11 December 2024 report published by global commercial law firm Clyde & Co revealed a
surge in ransomware attacks among other cyber threats against the aviation industry.
According to the report, cyberattacks in the aviation industry rose by 131% from 2022 to 2023,
with most attacks targeting airspace users, which of course includes airlines.
▪ The DDoS attack on JAL coincides with one of the most active travel times in Japan and the
global peak year-end holiday travel season. We have seen that holiday periods, particularly
Christmas – New Years, are more attractive to adversaries in both the cyber and physical
domains, looking to carry out high profile attacks with large scale ramifications.
In the cyber domain, for example, cyber risks are especially high during the holidays due to
such factors as distracted shoppers and employees, heightened network traffic and an influx
of phishing opportunities.
▪ As the fourth largest economy in the world and a pivotal center for cutting-edge technology,
Japan makes a prime and attractive target for cyber adversaries. We also cannot disregard
the role of geopolitics in understanding why Japan has been increasingly targeted in large
scale cyber attacks against its critical infrastructure.
Japan has long been engaged in a territorial dispute with Russia over the Kuril Islands, or
Northern Territories in Japan. Furthermore, since the onset of Russia’s war against in Ukraine
in 2022, the Japanese government has demonstrated consistent support for Ukraine, sending
the country military equipment and humanitarian assistance. In July 2024, Japan pledged
US$6.3 billion in aid to Ukraine, making it the second largest bilateral donor after the United
States.
In addition, Japan’s cabinet most recently approved a new US$55.13 billion defense budget,
primarily to fund new security and defense policies and initiatives announced in December
2022. These policies are driven in large part of geopolitical shifts which have taken place in
China, North Korea and Ukraine, amid growing regional challenges and potential risks
including China’s increased maritime presence in the East China Sea and military exercises
around Taiwan and North Korea’s efforts to further nuclear weapons and missile capabilities.
Finally, taking in consideration shared common goals in the Indo-Pacific region and
deterrence of aggression from China, Russia and North Korea, relations between Japan and
the United States have reached unprecedented heights.
It stands to reason that these geopolitical factors have likely heightened Japan’s cyber threat
profile from state actors including China, Russia and North Korea, with which relations have
become increasing antagonistic.
▪ Traditional enterprises like airlines have been an attractive target for cyber attacks as many
often rely on legacy software which can be out-of-date or have existing vulnerabilities that
were not patched and that may be exploited. In recent years, there have been numerous
sophistication and complexity. Some relevant examples include:
o Milan airports (28 December 2024) – The same cyber attack vector that ws used
against JAL was used by a hacked group by the name of NoName057(16) claimed
responsibility for a series of DDoS cyber attacks targeting the websites of Italy/Milan’s
two main airports as well as those of the Foreign Ministry and the public transport
networks in Siena and Turin. The operator of both Malpensa Airport and Milan-Linate
Airport announced that the attack was mitigated in less than two hours and that
flights were continued as normal.
o Leonardo Russian flight booking system (2023) – The Russian flight booking system
was hit by a massive DDoS attack claimed by the Ukrainian hacktivist group IT Army.
The incident lasted for roughly an hour and impacted Leonardo customer operations
including air carriers Rossiya Airlines, Pobeda and Aeroflot. The incident caused
delays on departures from Moscow’s Sheremetyevo International Airport, Russia’s
busiest airport.
o EasyJet (2020) – A major data breach exposed personal data of nine million customers
including bank details.
o Air Canada (2018) – Air Canada requested that 1.7 million mobile app accountholders
reset their passwords after it detected unusual login behavior which may have
exposed 20,000 accounts, including customer passport details as well as app profile
data containing a person’s name, address and email address.
o British Airways (2018) – British Airways announced that the personal and financial
information of 380,000 of their passengers had been hacked. Passenger names,
home addresses and credit card data were all stolen during the 15-day security
breach. A script running on BA’s baggage claim information page had been changed
just before the breach began. The new script was designed to capture the personal
and financial data customers entered including names and home addresses, as well
as credit card numbers, expiry dates and CVV codes. That information was then
relayed to a database under the hacker’s control. In this attack, hackers were able to
gain access to sensitive information without disturbing the flow of commerce or
raising suspicion.
o Cathay Pacific (2018) – Cathay Pacific acknowledged that the personal data of up to
9.4 million passengers, including passport numbers, was accessed by unauthorized
personnel. The discovery that some of its information systems had been
compromised was made amid routine ‘ongoing IT security processes.’ Data accessed
included passenger names; nationalities; dates of birth; phone numbers; email
addresses; physical addresses; 860,000 passport numbers; 245,000 Hong Kong ID
card numbers, frequent flyer program membership numbers; customer service
remarks; and historical travel data.
o LOT Polish Airways (2015) – Hackers used a distributed denial-of-service (DDoS)
attack on information technology (IT) systems to breach ground computers. As a
result, LOT was unable to issue flight plans for outbound flights from its Warsaw hub,
forcing the carrier to cancel roughly 20 foreign and domestic flights and grounding
1,400 passengers. The DDoS attack flooded the computer servers with so many
communication requests that it overloaded servers, rendering them nonfunctional.
RECOMMENDATIONS:
▪ This attack highlights the importance of putting in place robust cybersecurity measures and
adherence to cybersecurity hygiene. ASERO applauds the airline’s ability to detect, respond
to and recover from the attack within a matter of hours and minimal disruption to airline and
flight operations. that attack targeted the network which acts as the connector between internal and external
▪ It is important to recognize the cyber domain as a new battlefield by which state actors can
affect political change.
▪ We know that cyber adversaries are continually developing new tactics and discovering new
vectors for targeting critical sector systems and networks. It is necessary for the aviation
industry and critical infrastructures in general to ensure that they, too, are adapting their
cybersecurity policies and strategies to meet evolving threats and minimizing identified
vulnerabilities which may be exploited by an adversary.
▪ While we cannot be certain as to how the hackers penetrated the airline’s system, we know
that attack targeted the network which acts as the connector between internal and external
systems. It is important to understand where within the overall aviation cyber ecosystem this
network lies and what it is connected to.
Today, major players in the aviation ecosystem are becoming increasingly aware of how
interconnected their operations are and that often inadequately understood interfaces and
interdependencies between information infrastructures, networks and systems have the
potential to pose a grave risk. An attack on one system or network, whether critical,
important or supporting, could cause cascading effects on other systems, leading to large
scale turmoil and even disruption of critical aviation operations, e.g. airport, airline and other
aviation stakeholder operations.
In order to meet this challenge, it is necessary to understand and evaluate the risks to critical
systems, which may be posed by other interconnected critical as well as important and/or
supporting systems, that result from interfaces and interdependencies related to data flows
and the impacts they may have on overall airport and aviation operations.
To that end, entities must map their critical systems in order to properly understand where
their interdependencies and vulnerabilities lie and to take appropriate measures aimed at
securing them.
▪ It is necessary to construct and deploy an entity-wide Security Operations Center (SOC),
inclusive of Security Incident and Event Management (SIEM), with the aim of detecting and
responding to any system or network anomalies. A dedicated cyber security specialist, i.e.
not any IT employee, should be charged with drafting SOC procedures and identifying relevant
anomalies requiring additional inspection.
▪ It is important to ensure proper segmentation between administrative networks and
operational or sensitive networks. This will prevent scenarios in which an adversary is able to
successfully utilize access to the administrative networks to access sensitive information or
even pose safety or security risks.
▪ Cyber security should be an integral component of all training and awareness campaigns for
all entities. It is also important to ensure that third party service providers are made aware of
and trained on the importance of ensuring optimal cyber security.
▪ It is necessary to implement a robust cybersecurity hygiene practices and procedures, as well
as Quality Assurance program (QA) to include procedures for conducting annual internal and
external audits and a tabletop and red teaming exercise regime to ensure optimal
preparedness, identify gaps and measure return on security investment.
ASERO offers unparalleled experience in defining cyber assets and establishing cyber security
policies and measures for critical infrastructure, with an emphasis on the aviation domain. Our
team recently completed a pioneering, large scale project for a global airport hub designed to
map aviation ecosystem interdependencies, define and quantify a threat criteria, identify and
classify critical and other systems and propose a roadmap for implementation of security and
mitigation measures over the short-, medium-, and long-term.