Oddly specific 'cyber attack' hits Alaskan airline RavnAir and one plane type

A small Alaskan airline has suffered a curiously specific "cyber attack" that mostly affected its De Havilland Dash 8 airliners.

RavnAir Group declared on 21 December that it had "experienced a malicious cyber attack on our company's IT network" the day before, causing it to cancel all of its flights operated with Dash 8s on its RavnAir Alaska airline.

In later statements, the group – which also has two other airlines, PenAir and RavnAirConnect – said it was cancelling a dozen Dash 8 flights before adding that the "this disruption now appears more extensive than initially reported". It has since said it may take "as long as one month to have all affected IT systems fully restored and back to normal" - with additional flight cancellations and delays possible on all three airlines.

The Dash 8 cancellations lasted just under 24 hours before the aircraft were back in the sky.

The US Associated Press newswire reported that an unnamed cybersecurity company, the US Federal Bureau of Investigation "and others" are all working with RavnAir to figure out what happened and help the airline recover.

No information was given by the airline on precisely what the "cyber attack" consisted of, though from the limited account given, it appears to be ransomware. Also inferring from RavnAir's descriptions, not much else short of an immediate power failure is likely to have knocked out a "maintenance IT system", or caused "the need to shut down and assess every part of the company's IT network and all company computers and servers".

The group said "the cyber attack forced us to disconnect our Dash 8 maintenance system and its backup."

The incident is unusual because it appears those deploying the malware – if that is what it was – initially only affected one particular aircraft type, and a relatively old model. RavnAir flies DHC-8-100s, a twin-engined turboprop airliner no longer made by manufacturer De Havilland Canada: the -100 was superseded by the larger Q400 model in the early 2000s.

Ken Munro of Pen Test Partners speculated the attack could have been carried out by a disgruntled ex-employee or perhaps a commercial rival, based on the targeting of RavnAir's Dash 8 maintenance system, though he also added: "These seem unlikely to me."

Munro, who among many other things specialises in aviation cybersecurity, offered a theory: "My guess is that the maintenance system was infected with ransomware, perhaps through general poor hygiene often associated with maintenance systems. The backup [may have been] on the same network segment, probably with similar vulnerabilities/missing patches or common credentials. Through swift action, one would speculate that the infected systems were quickly disconnected from the network or powered off."

Judging by RavnAir's continued operations with all of its other aircraft, Munro said: "The incident was contained successfully, but without a primary or backup maintenance system, it wouldn't have been possible to dispatch Dash-8 flights."

RavnAir has been asked to comment.

The DHC Dash 8 is one of the world's most widely flown makes of turboprop airliner. RavnAir has a fleet of 10 Dash 8-100s, relatively small aircraft but with impressive short-field takeoff characteristics making them well suited to small, remote airstrips.

In the UK the Dash 8 is best known in its stretched Dash 8-Q400 configuration as flown by British airline Flybe, soon to rebrand as Virgin Connect after a £2.2m buyout last year. ®

Updated at 16:27 GMT on 3 January to add

De Havilland Canada has been in contact to tell The Reg it is "in contact with RavnAir and, if requested, is available to assist the authorities that are investigating the cyber attack that impacted RavnAir's IT network."

It added: "Based on the information currently available to us, the systems onboard the Dash 8 aircraft were neither the target of this incident nor affected by this incident. Our understanding is that this incident has impacted internal systems at the airline."