Full Report
Stewart Lewis reports: Operations at the Kelowna, B.C., airport (YLW) were disrupted Tuesday evening after its passenger information screens and public address systems were overtaken in a terrorist cyberattack. The incident began about 5:15 p.m., when pro-Hamas messaging could be seen and heard throughout the airport. A message took over flight information screens announcing the system was... Source
Analysis Summary
# Incident Report: Cyber Attack on Kelowna Airport Information Systems
## Executive Summary
On October 15, 2025, an anti-Israel cyberattack disrupted operations at the Kelowna International Airport (YLW) when threat actors gained unauthorized access to the passenger information screens and public address (PA) systems. The attackers defaced systems with pro-Hamas messaging and political statements. The incident primarily caused operational disruption and required immediate manual intervention to manage passenger information dissemination.
## Incident Details
- **Discovery Date:** October 15, 2025 (Around 5:15 PM local time)
- **Incident Date:** October 15, 2025
- **Affected Organization:** Kelowna International Airport (YLW), Kelowna, B.C.
- **Sector:** Aviation/Transportation
- **Geography:** Kelowna, British Columbia, Canada
## Timeline of Events
### Initial Access
- **Date/Time:** Tuesday evening, approximately 5:15 p.m. [October 15, 2025]
- **Vector:** Unspecified cyberattack, classified as "terrorist" by reporting. The attack exploited a vulnerability allowing takeover of passenger information systems.
- **Details:** Threat actors gained control of flight information screens and PA systems.
### Lateral Movement
* **Details:** Not explicitly detailed in the provided source, but the attack targeted networked display and audio infrastructure within the airport environment.
### Data Exfiltration/Impact
- **Impact:** Disruption of normal airport operations due to takeover of critical public communication systems.
- **Messaging Deployed:** Screens displayed "Hacked By Mutariff Siberislam" (also known as SiberIslam) along with political messages such as "Israel lost the war, Hamas won the war honorably," and references to U.S. President Donald Trump.
### Detection & Response
- **Detection:** The incident was observed when pro-Hamas messaging began appearing on screens and broadcasting over the PA systems at 5:15 p.m.
- **Response Actions:** Operations were disrupted, necessitating manual handling of communications following the breach of the digital display and audio systems. The report implies the systems were eventually cleared of the unauthorized messages.
## Attack Methodology
- **Initial Access:** Hacking/Compromise of public information display and audio systems (likely through a web-facing service or poorly segmented network segment controlling these peripherals).
- **Persistence:** Not detailed, but implied the attacker maintained control long enough to broadcast multiple messages.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** The nature of the attack (defacement/hijacking) suggests direct manipulation of the presentation layer rather than stealthy data theft.
- **Credential Access:** Not detailed.
- **Discovery:** Likely through scanning or targeting known control interfaces for airport Passenger Information Display Systems (PIDS) or PA systems.
- **Lateral Movement:** Not detailed.
- **Collection:** Not applicable (Focus was disruption/defacement).
- **Exfiltration:** Not applicable.
- **Impact:** Operational disruption through malicious display/audio injection.
## Impact Assessment
- **Financial:** Not disclosed. Potential costs involve system remediation, investigation, and potential fines related to security failures.
- **Data Breach:** No evidence of sensitive passenger or internal data exfiltration was reported; the impact was focused on system availability and integrity for public messaging.
- **Operational:** Significant, forcing immediate procedural changes to communicate flight/safety information manually until systems were cleared.
- **Reputational:** Potential reputational damage due to the high-profile nature of the politically motivated disruption at an international gateway (even if operating domestically within Canada).
## Indicators of Compromise
Due to the incident being a system hijacking/defacement rather than a traditional malware infection, specific IoCs are limited to actor attribution:
- **Network indicators:** Threat actor identified as "Mutariff Siberislam" or "SiberIslam." (No IPs/URLs provided to defang).
- **File indicators:** None specified.
- **Behavioral indicators:** Unauthorized takeover and broadcast over airport PIDS and PA systems.
## Response Actions
- **Containment measures:** Taking the compromised PIDS and PA systems offline or isolating them from core airport networks to stop the unauthorized broadcasting.
- **Eradication steps:** Removing the malicious content and potentially resetting access controls for the compromised systems.
- **Recovery actions:** Resuming normal communications procedures, likely relying on manual updates until digital systems were verified clean.
## Lessons Learned
- The necessity of robust segmentation between critical operational technology (OT) managing passenger information/safety systems and public-facing networks.
- Passenger information and PA systems are high-value targets for politically motivated disruption campaigns.
- Relying solely on digital systems for critical communication requires strict access controls and immediate failover procedures to manual systems.
## Recommendations
- Immediately audit all interfaces controlling public display and audio systems for unauthorized external access points.
- Implement Multi-Factor Authentication (MFA) for all administrative access to PIDS and PA management consoles, regardless of network location.
- Develop and regularly test a formal manual communication plan to ensure essential passenger updates can continue uninterrupted during PIDS/PA system compromise.
- Review incident response playbooks specifically for content injection/defacement attacks targeting public-facing infrastructure.