Three weeks after a ransomware attack, the Port of Seattle and the Seattle-Tacoma International Airport (SEA) are still recovering systems.
In the first week after the attack, port and airport authorities working with U.S. law enforcement agencies, managed to recover baggage services, check-in, ticketing, Wi-Fi, display boards, app services, and more. However, the main external website and internal portals of SEA Airport and the Port are still down at the time of writing.
While the Seattle Port Authority reports that traveling from and to Seattle-Tacoma International Airport and using the Port of Seattle’s maritime facilities is completely fine, Techopedia looks into the developing events to gain a deeper understanding of what´s happened and why.
Seattle Port and Airport Still Recovering from Ransomware Attack
On September 13, the Port of Seattle and SEA announced that an attack on their services, identified as a ransomware attack carried out by the criminal organization known as Rhysida.
While there is no definite evidence that ties Rhysida to any nation-state, experts believe it is connected to the Russian ransomware industry.
In a move applauded by cybersecurity experts and law enforcement, the Port refused to pay the ransom demanded. Additionally, the Port and SEA took immediate actions to prevent the attack from escalating, shutting its systems offline as soon as they identified suspicious activity.
However, not paying for ransomware usually does not come without consequences. While no new activity, messages, or communications from the threat actors involved in this attack have been released to date, data leaks and extortions are to be expected.
Investigations into what data was compromised and whether that includes stakeholders, partners, employees, or civilian personal data are still ongoing.
Tom Kellermann, SVP of Cyber Strategy of Contrast Security, a cybersecurity provider, told Techopedia that Rhysida is a Russian-speaking cyber crew that acts as a part-time cyber militia for the Russian regime.
“Russia has called upon these Ransomware gangs to act patriotically and launch destructive attacks against US critical infrastructure.
“I do believe that the perpetrators will attempt to leak data if not swiftly suppressed by the activities of the security teams and federal authorities.”
Rhysida Atypical Ransomware Behaviour Raises Suspicion
The Port of Seattle’s official press release does not reveal many technical details of the attack. However, we do know that the ransomware was a Rhysida attack. Rhysida is an emerging variant of ransomware malware that is offered under ransomware-as-a-service models in the criminal underground. The threat group came to the FBI’s attention in 2023.
While Rhysida is, in essence, ransomware — encryption and double extortion included — the malware does possess other capabilities that make it stand out.
Most ransomware attacks are guerrilla-style rapid in-and-out attacks. They start with phishing or stolen credentials and move on to rapid encryption and data extraction. These types of attacks take an average of 4 to 5 hours, with some being over in just 45 minutes.
In contrast, as the FBI and the CISA joint advisory reveals, the Rhysida ransomware attack is neither fast nor strictly focused on encrypting data.
Instead of leveraging stolen credentials or launching phishing attacks, Rhysida threat actors enter a system more technically by accessing services such as virtual private networks (VPNs). Once they have access to VPNs, they can connect to internal enterprise network resources from external locations.
Rhysida also leverages vulnerabilities, escalation of privileges, and later movements to establish persistence. Furthermore, Rhysida actors use Living off the Land (LoL) techniques — using the breached system tools and resources in their favor.
The use of LoL and persistency tactics are also techniques and capabilities that are not usually associated with ransomware but rather with long-term cyberespionage campaigns.
Since 2023 Rhysida has hit education, healthcare, manufacturing, information technology, and government sectors. But the attack on Seattle’s Port and Airport signals to a serious escalation.
Why the Seattle Airport and Port?
The Seattle Port and Airport, separate entities managed by the same Port of Seattle authority, are of significant importance for the U.S. Morey Haber, Chief Security Advisor at BeyondTrust, told Techopedia that both the seaport and airport serve as critical infrastructure.
“Their disruption can ripple across multiple industries, including logistics, travel, commerce, and allow name recognition for the Rhysida group.
“The airport and seaport in Seattle represents high-value targets for several reasons for this attack.”
Haber explained that the Port of Seattle is a major gateway for trade and the Seattle-Tacoma International Airport (SEA). It is also among the busiest in the northwest of the United States. Any successful attack would cause significant downtime and financial loss and could pressure authorities to meet ransom demands quickly to restore services.
“In addition, these targets have a trove of sensitive data from shipping manifests, passenger information, and global logistical systems that could be sold on the dark web regardless if ransomware demands were met or not.”
“We can expect future attacks on similar organizations regardless if they are government managed or private-sector,” Haber said.
This includes ports, airports, rail systems, and energy grids, especially in developing nations that may not have backups, incident response plans, or the financial means to actually pay the ransom.
Putting Things Under National Security Perspectives
Both the Seattle port and airport have the necessary infrastructure to handle large volumes of cargo and passengers, including deep-water berths, cargo-handling equipment, and modern runways.
Due to the geographical location, the Port of Seattle and the Airport are also critical for the U.S. military. The area is also home to Joint Base Lewis-McChord, a major U.S. military installation, and the Port of Tacoma, which is used for military cargo shipments. This proximity makes it easier for the military to support its operations in Alaska and other areas in the Pacific.
Tensions between the U.S. and Russia in the North Pacific have been escalating in the past weeks, with NORAD recently detecting Russian maritime patrol intrusions and the U.S. Army deploying forces on Alaska’s Aleutian Islands to showcase its ability to move forces rapidly in the region.
The Bottom Line
Ransomware attacks are nothing new, but the attack on the Port of Seattle and the SEA Airport is undoubtedly a bold move by the new threat group. Utilizing a more sophisticated and stealthy malware that has several leveled-up functions and features compared to traditional ransomware, the Rhysida threat group dared to target and successfully breach one of the most important ports of the U.S. — and for national security.
While Rhysida hackers will not see any ransomware payment, and an investigation is well on its way, it is still unclear what they got their hands on and what is coming next.
Operations in the airport and port of Seattle are today safe and returning to normal, with authorities assuring that the security is being beefed up. However, experts say similar attacks on key critical infrastructure are inevitable.