Blog Details

Port of Seattle reveals details of ransomware attack, says it refused to pay criminal organization

The Port of Seattle said some of its data may be at risk of being posted online after it refused to pay a ransom demanded by a criminal organization responsible for a cyberattack that took place nearly three weeks ago.

The Port revealed new details on Friday about the Aug. 24 cyberattack that impacted various operations, including at Seattle-Tacoma International Airport.

“Our investigation has determined that the unauthorized actor was able to gain access to certain parts of our computer systems and was able to encrypt access to some data,” the Port said.

According to the Port, the ransomware attack was carried out by Rhysida, which claimed responsibility for cyberattacks on the British Library last year and the City of Columbus, Ohio this summer. It also targets hospitals and other government institutions.

The Port said that Rhysida claims to have stolen data and may post it “on their darkweb site” as a result of the refusal to pay the ransom.

More from the Port:

“Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August. Assessment of the data taken is complex and takes time, but we are committed to these efforts and notifying potentially impacted stakeholders as appropriate. In particular, if we identify that the actor obtained employee or passenger personal information, we will carry out our responsibilities to inform them.”

The attack and the Port’s response to isolate critical systems resulted in an outage that shut down WiFi at the airport, caused delays to baggage services, and disrupted many screens inside the terminal showing flight information.

Airport workers had to resort to manual methods, such as writing flight numbers and carousel locations on large sheets of paper and issuing handwritten boarding passes and bag tags.

The outage did not impact flights or security checkpoints at Sea-Tac Airport, or cruise travel.

The travel experience at Sea-Tac is now “normal,” the airport announced Wednesday.

However, the airport and Port’s websites are still down. Other services such as the airport’s lost and found and visitor pass program are still not accessible.

Some maritime operations managed by the Port of Seattle are also still in recovery mode.

“Enterprise applications essential to business functions, such as accounts payable services, contract management, phone service, and the public website were affected in the attack,” the Port said. “Many of these services have been restored with temporary or workaround solutions, although some key systems remain offline.”

The Port said it has not identified unauthorized activity since the initial breach.

Cyberattacks on critical infrastructure and public entities such as schools are on the rise.

Criminal enterprises and nation-states are typically responsible for ransomware attacks, which usually involve hackers who leverage credentials or exploit software vulnerabilities, make data inaccessible or threaten to leak it, then demand exorbitant payments from victims.

That data can be sold on the “dark web” for a large profit. In ransomware attacks, targets are often forced to pay ransoms.

The Port of Seattle “has no intent of paying the perpetrators behind the cyberattack on our network,” said Steve Metruck, executive director of the Port of Seattle.

“Paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars,” Metruck said in a statement Friday.

Speaking at a Port of Seattle Commission meeting this week, Metruck said the crisis has been a “catalyst” to implementing technical changes that were either already in the queue or on the wish list. “Those have been accelerated,” he said.

Recent high-profile ransomware attacks have hit auction house Christie’s; healthcare systems including Ascension and Change Healthcare; and Seattle’s Fred Hutchinson Cancer Center.

This week, Highline Public Schools, a school district south of Seattle, canceled classes for three days due to a cyberattack.