Port of Seattle confirmed that Rhysida ransomware gang was behind the August attack

Port of Seattle confirmed on Friday that the Rhysida ransomware group was behind the cyberattack that hit the agency in August.

In August, a cyber attack hit the Port of Seattle, which also operates the Seattle-Tacoma International Airport, websites and phone systems were impacted.

Media reported that the Port of Seattle, which also operates the Seattle-Tacoma International Airport, suffered a cyber attack that impacted the websites, email and phone services. According to The Seattle Times, the cyber attack disrupted travel plans.

“A spokesperson for Alaska Airlines said staff was manually sorting over 7,000 bags, because “a majority” of checked bags missed their flights this weekend.” reported The Seattle Times.

“We believe this was a cyberattack,” said Lance Lyttle, managing director of aviation for Sea-Tac Airport, at a news conference Sunday afternoon.”

“We are conducting a thorough investigation with assistance of outside experts We have contacted and are working closely with federal partners, including TSA and Customs and Border Protection,” Lyttle added.

The Port of Seattle first reported it was experiencing an internet and web systems outage. According a message posted on X, the problems impacted some systems at the airport.

Passengers were recommended to check with their airlines for the latest information for their flights.

In response to the incident, the Port isolated critical systems.

Port of Seattle confirmed on Friday that the Rhysida ransomware group was behind the cyberattack. The Rhysida ransomware group has been active since May 2023. The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”

“This incident was a “ransomware” attack by the criminal organization known as Rhysida. The efforts our team took to stop the attack on August 24, 2024, appear to have been successful. There has been no new unauthorized activity on Port systems since that day. We remain on heightened alert and are continuously monitoring our systems.” reads the update published by the agency. “It remains safe to travel from Seattle-Tacoma International Airport and use the Port of Seattle’s maritime facilities.”

The Port confirmed that an unauthorized actor accessed and encrypted parts of their computer systems, disrupting key services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking. The company also states that it has refused to pay the ransom, for this reason the ransomware group may publish stolen data.

“From day one, the Port prioritized safe, secure and efficient operations at our facilities. We are continuing to make progress on restoring our systems. The Port of Seattle has no intent of paying the perpetrators behind the cyberattack on our network,” said Steve Metruck, Executive Director of the Port of Seattle. “Paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars. We continue working with our partners to not just restore our systems but build a more resilient Port for the future. Following our response efforts, we also commit to using this experience to strengthen our security and operations, as well as sharing information to help protect businesses, critical infrastructure and the public.”

The investigation is still ongoing and will notify impacted individuals.

The Port announced that it has been taking additional steps to enhance its existing controls and further secure the IT infrastructure. The agency is strengthening its identity management and authentication protocols, and enhancing the monitoring activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganin

(SecurityAffairs – hacking, Port of Seattle)