Full Report
The organization that runs Seattle-Tacoma International Airport and several container terminals said it is sending breach notification letters to those affected by a ransomware attack, including about 71,000 people in Washington state.
Analysis Summary
# Incident Report: Port of Seattle Ransomware Attack by Rhysida
## Executive Summary
In August 2024, the Port of Seattle, which operates Seattle-Tacoma International Airport (Sea-Tac), suffered a significant ransomware attack attributed to the Rhysida gang. The threat actors accessed and exfiltrated personal data belonging to approximately 90,000 individuals, primarily impacting legacy systems holding employee, contractor, and parking data. The incident caused severe operational disruption at the airport, forcing manual processes for baggage handling and flight information display, though core airline and federal partner systems remained unaffected. The Port refused to pay the ransom, leading to remediation and recovery efforts.
## Incident Details
- **Discovery Date:** August 24, 2024 (Implied: Attack initiated around this date)
- **Incident Date:** August 24, 2024
- **Affected Organization:** Port of Seattle (Operating Sea-Tac Airport)
- **Sector:** Transportation/Government/Infrastructure
- **Geography:** Washington State, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Around August 24, 2024, ahead of the Labor Day holiday.
- **Vector:** Ransomware deployment (Specific initial access vector not detailed in the article, but common for Rhysida includes phishing or exploiting exposed services).
- **Details:** Threat actors deployed ransomware into the Port's systems.
### Lateral Movement
- Attackers gained access to and downloaded data from **legacy systems** used for employee, contractor, and parking records.
### Data Exfiltration/Impact
- **Data Exfiltration:** Threat actors **accessed and downloaded** personal information of about 90,000 records, including names, DOBs, SSNs, driver’s licenses/ID cards, and some medical information.
- **Operational Impact:** Airport Wi-Fi was disabled, leading to the use of dry-erase boards for flight/baggage info, static screens being down, and manual baggage sorting by airlines. Impacted services included baggage, check-in kiosks, ticketing, passenger display boards, the Port website, the flySEA app, and reserved parking systems.
### Detection & Response
- **Detection:** Incident was discovered on or around August 24, 2024, leading to severe service disruptions.
- **Response actions taken:** Port officials confirmed refusing to pay the ransom demanded by Rhysida. Breach notification letters were prepared for affected individuals. Containment and eradication efforts followed the refusal to pay.
## Attack Methodology
- **Initial Access:** Not explicitly detailed, but consistent with typical ransomware group methods (e.g., RDP compromise, VPN vulnerability, or phishing).
- **Persistence:** Implied through successful ransomware encryption and data theft.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, though the attack successfully bypassed security controls to propagate ransomware and exfiltrate data from targeted legacy systems.
- **Credential Access:** Likely used to access the targeted legacy systems containing PII.
- **Discovery:** Inferred activity post-access to map internal systems where sensitive data resided.
- **Lateral Movement:** Occurred across the network to reach and compromise legacy systems containing employee/contractor PII.
- **Collection:** Targeted collection of PII (SSNs, names, DOBs, etc.).
- **Exfiltration:** Data was downloaded prior to or concurrent with encryption.
- **Impact:** System encryption via ransomware, resulting in service outages, and data theft.
## Impact Assessment
- **Financial:** Costs associated with incident response, remediation, and providing one year of free credit monitoring services to ~90,000 victims. (Specific figures undisclosed).
- **Data Breach:** Approximately 90,000 records compromised, including PII such as Social Security Numbers, DOBs, and driver's license information. Primarily employee/contractor data from legacy systems.
- **Operational:** Severe, short-term disruption to airport and port services, forcing reliance on manual fallback procedures during a busy holiday travel period (Labor Day). Core airline and federal systems were isolated/unaffected.
- **Reputational:** Negative publicity due to widespread operational disruption at a major US airport.
## Indicators of Compromise
- *(Note: Specific IOCs were not provided in the source text, but typically would include Rhysida C2 domains or malware hashes.)*
- **Network indicators:** [Defanged C2 domains/IPs associated with Rhysida activity post-incident]
- **File indicators:** [Specific ransomware file names/hashes associated with the Rhysida variant used]
- **Behavioral indicators:** Significant encryption activity on legacy file servers; unauthorized outbound traffic related to data staging/exfiltration.
## Response Actions
- **Containment:** Isolation of affected legacy systems from the core operational network segments, preventing further ransomware spread.
- **Eradication:** Removal of threat actor presence and remediation of compromised legacy systems.
- **Recovery:** Restoring services, including Wi-Fi, display boards, and website functionality; coordination with flight operations.
- **Notification:** Issuing breach notification letters to affected individuals and offering one year of free credit monitoring.
## Lessons Learned
- **Legacy System Vulnerability:** Reliance on older, less modern "legacy systems" created a high-value target accessible to the threat actors, despite core operations remaining isolated.
- **Ransomware Strategy:** The Port maintained a firm stance against paying the ransom, adhering to ethical and stewardship principles, which dictated a full recovery path.
- **Operational Resilience:** Significant operational impact occurred despite successful isolation of critical airline/federal infrastructure, highlighting the need to harden non-core PII systems.
## Recommendations
- **Accelerate Data Modernization:** Prioritize the migration or complete decommissioning of any legacy systems housing sensitive PII, ensuring all current systems use modern security controls.
- **Enhanced Endpoint Detection and Response (EDR):** Deploy and rigorously tune EDR solutions across all network segments, especially where PII resides, to detect early-stage lateral movement and credential access.
- **Segmentation & Least Privilege:** Review network segmentation to ensure that systems holding PII are strictly isolated and adhere to the principle of least privilege.