Major Cyber Attacks Targeting Aviation Industry 2025

In 2025, the aviation industry remained a key target for cyberattacks. Its role as critical infrastructure makes it a prime focus for threat actors. Airlines and airports rely heavily on digital systems for operations, which makes them highly vulnerable to cyber threats. Attacks ranging from ransomware to the sale of stolen data have become more frequent, often linked to the dark web. These incidents highlight the risks the sector faces as it becomes increasingly reliant on interconnected technologies.

Cyberattack in progress: A commercial plane under siege in a digital battlefield, where technology meets destruction. Illustration created by DALL-E

The aviation industry connects people, goods, and services worldwide, making it invaluable. Its digital systems manage everything from flight schedules to sensitive passenger data, which increases its appeal to cybercriminals and hacktivists. A successful cyberattack can disrupt operations, ground flights, and cause massive financial losses. Additionally, aviation’s public visibility ensures that the impact of these attacks is felt beyond the industry, affecting millions globally. This combination of strategic importance and vulnerability makes aviation an ongoing and attractive target for cyber threats.

The 2025 Cyber Threat Landscape in Aviation

In 2025, the aviation sector has remained a high-profile target for cyber threat actors, with both civilian infrastructure and commercial airline systems drawing increased attention. From politically motivated hacktivism to financially driven intrusions, attacks have spanned a wide range of tactics and objectives.

One of the most prominent trends this year has been the frequency of DDoS campaigns against airports and aviation authorities, often carried out by hacktivist groups such as Z-PENTEST Alliance, Noname057(16), and Dark Storm Team. These actors, known for politically charged operations, have repeatedly claimed responsibility for disruptions to airport websites and public-facing aviation systems, particularly in Western-aligned countries.

Alleged access sales targeting aviation industry detected by SOCRadar on the Dark web (SOCRadar Dark Web News)

On the other hand, threat actors have taken a more financially motivated and technically sophisticated approach, focusing on initial access sales. They allegedly offered unauthorized access to airline-affiliated systems, further exposing backend environments to secondary threats such as ransomware or data theft.

Victim country distribution by Dark Web mentions

The United States has emerged as the most frequently referenced country in aviation-related cyber incidents. This can be attributed not only to the sheer size and global presence of its aviation infrastructure but also to its symbolic value in geopolitical cyber conflict. Pro-Russian and pro-Palestinian groups, in particular, have consistently included American targets in their publicized DDoS campaigns, framing such attacks as acts of digital resistance or retaliation.

Other highly targeted countries include France, China, India, and the United Kingdom, each appearing repeatedly in underground threat actor posts. In some cases, these nations were named due to data leaks, while others were targeted in broader regional campaigns aimed at disrupting transportation or generating media visibility.

Cyberattacks on Commercial Airlines in 2025

In 2025, cyberattacks against commercial airlines increased in both scale and impact. Airlines in several countries were targeted, including a major campaign in June that hit carriers in North America and Australia. Many of these attacks involved social engineering methods, such as impersonating support staff and bypassing multi-factor authentication. U.S. authorities, including the FBI, linked these techniques to a cybercriminal group known as “Scattered Spider.”

Qantas Airways (Australia) – 2025 Data Breach

In late June 2025, Qantas Airways detected unauthorized activity on a third-party platform used by its contact center. The airline confirmed the breach in early July and stated that the attack shared similarities with intrusions linked to the Scattered Spider group.

Qantas has since updated its disclosure, confirming that the personal data of approximately 5.7 million customers was exposed. Around 4 million records included names, email addresses, and Frequent Flyer details—some with tier level, points balance, and status credits. The remaining 1.7 million included combinations of addresses, phone numbers, dates of birth, gender, and meal preferences.

No passwords, payment data, or passport details were compromised. Affected customers are being contacted directly, and Qantas has implemented additional cybersecurity measures in response.

WestJet Airlines (Canada) – June 2025 IT System Intrusion

On June 13, 2025, WestJet Airlines experienced a cyber incident that disrupted parts of its digital infrastructure. The airline reported issues with its mobile app and internal systems, leading to temporary service interruptions for passengers.

WestJet quickly activated its internal response teams and worked with law enforcement and Transport Canada to investigate. By the following day, the airline confirmed that flight operations were unaffected and that recovery efforts were underway. Customers were advised that some online services might remain unstable during this period.

While WestJet did not confirm whether any personal data was compromised, it urged caution when sharing information online. The specific method of attack was not disclosed. However, cybersecurity experts noted that the intrusion resembled other recent airline breaches. Sources suggested the attack might be linked to the Scattered Spider group, which is known for using social engineering tactics and extortion

Hawaiian Airlines (USA) – June 2025 Disruption of IT Systems

On June 26, 2025, Hawaiian Airlines confirmed it was affected by a cybersecurity incident. While the airline did not disclose technical details, the phrasing suggested a ransomware attack. Despite the disruption, flights continued safely and on schedule.

Some internal and communication systems were impacted. Staff reportedly used alternative email accounts to manage inquiries. The airline quickly activated contingency plans, and the FAA confirmed there was no risk to flight safety.

Cybersecurity experts attributed the breach to Scattered Spider, linking it to a broader campaign against the aviation sector. The group was also suspected in a similar incident involving WestJet two weeks earlier.

Both Hawaiian Airlines and its parent company, Alaska Airlines, published temporary notices on their websites about the issue. These were removed once systems stabilized. No sensitive customer data was reported lost. The event highlighted rising cyber risks in aviation, especially as U.S. authorities warned that Scattered Spider had begun targeting transportation infrastructure more aggressively.

Dark Web Profile: Scattered Spider

Attacks on Airports and Aviation Infrastructure in 2025

Airports, which form part of national critical infrastructure, were also prime targets of cyberattacks in 2025. These ranged from politically motivated hacktivist attacks aiming to sow disruption, to financially motivated ransomware strikes. Below we detail notable incidents at major airports:

Los Angeles International Airport (USA) – March 2025 Hacktivist DDoS Attack

On March 18, 2025, Los Angeles International Airport (LAX) faced a large-scale DDoS attack claimed by the pro-Palestinian hacktivist group “Dark Storm Team.” The attackers flooded airport systems with fake traffic, disrupting flight information displays, baggage handling, and electronic check-in systems.

Although no flights were canceled, the attack caused visible delays and confusion across terminals. Websites slowed, screens went blank, and staff had to manage passenger flows manually. There was no data breach or ransom involved — the attack was politically motivated, targeting U.S. support for Israel.

Security analysts noted that the attackers used sophisticated botnets to bypass standard defenses. Financial losses and reputational damage were likely, but full services resumed once the traffic died down. The incident emphasized how even short-term disruptions can affect major airports and highlighted the growing role of hacktivism in aviation cyber threats.

Hartsfield-Jackson Atlanta International Airport (USA) – March 2025 Attempted DDoS

Just ten days later, on March 28, 2025, Atlanta’s Hartsfield-Jackson Airport (ATL) was targeted in a similar attack. This time, the DDoS attempt was quickly contained. The airport’s website became briefly unavailable, but core systems and flight operations were unaffected.

Airport IT teams followed protocols and restored access swiftly. No group claimed responsibility, and the motive remains unclear. Some analysts speculated it was either a copycat act or a low-effort DDoS-for-hire. Though minimal in impact, the incident underscored the value of having effective DDoS protection in place.

Kuala Lumpur International Airport (Malaysia) – March 2025 Ransomware Attack

On March 23, 2025, Kuala Lumpur International Airport (KLIA) suffered a serious ransomware attack. Systems went down for over ten hours, forcing staff to use manual procedures. Flight updates were written by hand, and operations slowed significantly.

Attackers demanded $10 million in ransom. Malaysia’s Prime Minister confirmed the attack but firmly refused to pay. The government activated its national cyber agency, and recovery efforts began the same day. While no official attribution was given, the Qilin ransomware group claimed responsibility, stating it had stolen 2 TB of data.

This marked one of the most disruptive cyberattacks on an Asian airport to date. It triggered a nationwide response and increased scrutiny of aviation cybersecurity. Officials emphasized better segmentation, phishing prevention, and routine testing as critical next steps.

Dark Web Activity Involving the Aviation Industry

Alongside confirmed cyber incidents, threat actors have increasingly turned to dark web platforms to claim breaches involving airlines, airports, and aviation service providers. Many of these posts feature partial samples, screenshots, or technical details—but remain unverified. Some are likely based on test data or recycled content, while others may be exaggerated or false. Still, they highlight the aviation sector’s growing exposure on dark web forums and illicit marketplaces.

Alleged United Airlines SMS Leak

A threat actor known as “Machine1337” claimed on a Russian hacker forum and Telegram that they had leaked 272 million SMS records linked to United Airlines. Samples included real flight details and valid URLs pointing to gofly.united.com, adding surface-level credibility.

Dark web forum post alleging a United Airlines data leak

However, all messages included the label “FakeDLR,” a term usually found in internal test logs. Most numbers targeted Chinese devices (+86), and no personal identifiers or credentials were visible.

The same actor previously made similar unverified claims, including a supposed Steam SMS leak, which Valve and Twilio both denied. In that case, Valve clarified the messages were historic and not the result of a breach.

Due to the presence of test markers and the actor’s history of misleading posts, this alleged leak appears dubious and likely involves test or simulated data rather than real customer information.

ICAO Recruitment Database Breach

In January 2025, the International Civil Aviation Organization (ICAO), a specialized United Nations agency, confirmed an information security incident involving its recruitment platform. The breach was allegedly carried out by a threat actor known as “Natohub,” who claimed to have exfiltrated approximately 42,000 recruitment application data records spanning from April 2016 to July 2024. While this figure was initially reported, ICAO later clarified that the breach affected 11,929 individuals after a thorough review.

Threat actor claims to have breached ICAO

The compromised data includes recruitment-related details that applicants submitted to ICAO, such as names, email addresses, dates of birth, and employment history. Importantly, no sensitive information such as banking details, passwords, passport information, or documents uploaded by applicants was involved in the breach.

ICAO confirmed that the breach is limited to the recruitment database and does not impact any systems related to aviation safety or security operations. The organization is actively investigating the incident, which appears to be linked to a threat actor known for targeting international organizations

Alleged Unauthorized VPN Access Sale Detected for an American Aviation Company

A post on a dark web forum has been detected offering unauthorized VPN access, allegedly belonging to a U.S.-based aviation company. The post claims the sale involves access to the company’s user domain, with a starting price of $1,000 and escalating payment steps. The price is listed in stages, with a $500 increase per step and a final blitz price of $5,000. This access is reportedly tied to a company generating $93 million in annual revenue.

The dark web post claims the sale of unauthorized VPN access to a major U.S.-based aviation company

The sale of unauthorized VPN access raises serious concerns, as it could potentially expose the company’s internal systems and sensitive data to malicious actors. Such access poses a direct threat to the organization’s security, particularly in the context of the aviation sector, where disruptions or data breaches could have significant operational and reputational consequences.

Pro-Russia Hacktivist Group Noname057(16) Targets Milan Bergamo Airport in DDoS Attack

Noname057(16)’s Claim: DDoS Attack on Milan Bergamo Airport

Noname057(16), a pro-Russia hacktivist group, has launched a significant DDoS attack on Milan Bergamo Airport, taking its website offline. The group claimed responsibility for the attack and mentioned further disruptions to other Italian sites. This incident highlights the ongoing trend of hacktivists specifically targeting the aviation sector as part of their ideological campaigns, underscoring the critical vulnerability of aviation infrastructure to cyberattacks.

Conclusion: Preparing for the Next Wave of Aviation Cyber Threats

The events of 2025 proved one thing beyond doubt: aviation is firmly in the crosshairs of cyber adversaries. From ransomware incidents paralyzing airport systems to hacktivist-driven DDoS attacks disrupting passenger services, the industry has faced threats that go far beyond simple IT outages. These incidents did not ground fleets or compromise flight safety, but they exposed significant weaknesses in digital resilience and operational continuity.

Looking ahead, the threat landscape will only become more complex. Cybercriminals are expected to double down on ransomware and data extortion, while advancements in AI will supercharge phishing and social engineering tactics. Voice and video deepfakes could make impersonation attacks even more convincing. At the same time, third-party risks remain a critical concern, as demonstrated by breaches involving aviation vendors and external service providers. In short, the attack surface is expanding and attackers know it.

For airlines, airports, and aviation technology partners, the path forward is clear: proactive defense, layered security, and a culture of cyber awareness. Multi-factor authentication, network segmentation, and strong encryption are no longer optional; they are baseline requirements. Continuous monitoring powered by AI and real-time threat intelligence sharing will be essential to detect and contain intrusions before they spread. Equally important is investing in people: regular training, phishing simulations, and clear escalation protocols can turn employees from weak links into active defenders.

Resilience must become the industry’s mantra. This means preparing for the worst-case scenario with robust business continuity plans, offline backups, and well-rehearsed manual processes to keep passengers moving even during a cyber crisis. The attacks of 2025 served as a wake-up call. The question now is whether the industry will turn those lessons into action. By combining technology, training, and tested contingency strategies, aviation can stay one step ahead of the next wave of cyber threats and keep the skies both open and secure.