Airline Ransomware Hacker Arrested

Early this morning German authorities in Berlin, working in conjunction with the Federal Bureau of Inquiry arrested Kate Libby, a notorious member of Stasi Ehemalige known by her hacker handle as GeschütztesDF, for her part in last week’s ransomware attack on an airliner sitting on the ground at Boston’s Logan Airport. Johnathan Quest, and FBI spokesperson, noted that the two governments were still working out where she would be tried for the attacks.

Quest refused to confirm that an American government agent had managed to infiltrate Stasi Ehemalige. “US technical means and good, solid police work by the Germans led to locating and arresting this notorious hacker” Quest responded when asked about infiltration of the hacker collective.

Immanuel C. Securitage, spokesman for ECS-CERT the cybersecurity agency that worked closely with the FBI on this case, reported that the TOR site for the hacker collective had bragged about GeschütztesDF skills, both in crafting the ransomware and inserting it into the airline crew scheduling web page where it infected the phones for the crew of Flight 175.

Within hours of Libby’s arrest, announcements were made on a large number of social media site providing links to the source code for the WannaFly malware. The announcements, signed by GeschütztesDF, provided credentials to access the source code on web sites for Robotron, Fieseler, and a number of airlines. Publishing the code on these sites made it clear that Stasi Ehemalige had compromised the security of the sites in question, raising questions about what other attacks on those sites had accomplished.

An unnamed analyst from Dragonfire claims that, along with the source code, the web site postings include instructions on how to modify the ransomware to take effect when aircraft are in flight, as well as details on two previously undetected vulnerabilities in the Robotron Reichenberg avionics control system. Those zero-day vulnerabilities would allow inflight access to the control system according to the analyst.

Securitage refused to comment on those claims, stating that ECS-CERT was still looking at the malware.

Within minutes of the release of the GeschütztesDF messages, the TOR site for Stasi Ehemalige published demands for the release of Kate Libby. The web site claimed that unless Libby was released within 24 hours the hacker group would also release copies of the WannaFly ransomware tailored to attacks on avionics control systems from other manufacturers along with zero-day vulnerabilities that would allow access to install that malware.

The Federal Airline Administration spokesman Oscar Holmes reported that the FAA was closely monitoring the situation. The Fieseler aircraft that are the only current users of the Robotron control system remain grounded until airlines can certify that appropriate mitigation measures are put into place on each potentially affected aircraft. Holmes noted that the FAA was prepared to ground any aircraft affected by the threatened malware releases.

When asked about the potential effect on holiday travel, Holmes confirmed that even the limited Fieseler groundings had already caused the cancelation of hundreds of flights. Any further groundings could cause serious problems for travelers in coming weeks that are expected to see record numbers of flyers. Travel plans could have to be canceled and people could be stranded away from home searching for alternative modes of travel.

Robotron and Fieseler stocks fell sharply past previous record lows on European exchanges before trading was stopped. US airline stocks dropped sharply after the Stasi Ehemalige announcement as airlines reported an increase in flight cancellations.