In March 2025, KLIA suffered a ransomware attack by the Qilin gang, crippling critical systems including flight information displays, check-in kiosks, and baggage handling for over 10 hours. Operations reverted to manual processes (whiteboards, paper logs), causing mass disruptions for passengers and airport staff. The attackers exfiltrated ~2 TB of sensitive airport data and demanded a $10 million ransom, which Malaysia’s government publicly refused to pay. The breach vector was likely phishing targeting supplier or contractor accounts, exploiting human error rather than technical vulnerabilities. The incident highlighted systemic risks in interconnected airport ecosystems, where third-party access and high employee turnover amplify exposure. While no direct financial loss was confirmed, the operational chaos, reputational damage, and potential long-term data exposure (e.g., passenger records, vendor contracts) posed severe risks to KLIA’s infrastructure and trust.
Source: http://www.parking-net.com/parking-news/bookflowgo/-iso-27001-and-the-human-firewall
TPRM report: https://www.rankiteo.com/company/malaysia-airports
"id": "mal4432944102725",
"linkid": "malaysia-airports",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Aviation/Transportation',
'location': 'Malaysia',
'name': 'Kuala Lumpur International Airport (KLIA)',
'size': 'Large (Major International Hub)',
'type': 'Airport Operator'},
{'industry': 'IT/Aviation Services',
'name': 'Unnamed Supplier/Contractor(s)',
'type': 'Third-Party Vendor'}],
'attack_vector': ['Phishing (Supplier/Contractor Accounts)',
'Social Engineering'],
'data_breach': {'data_encryption': 'Yes (Ransomware Encryption)',
'data_exfiltration': 'Yes (2 TB Claimed by Qilin)',
'personally_identifiable_information': 'Potential '
'(Unconfirmed)',
'sensitivity_of_data': 'High (Potential PII, Operational '
'Data)'},
'date_detected': 'March 2025',
'date_publicly_disclosed': 'March 2025',
'description': 'In March 2025, Kuala Lumpur International Airport (KLIA) '
'suffered a ransomware attack attributed to the Qilin gang. '
'The attack disrupted flight information displays, check-in '
'systems, and baggage handling for over 10 hours, forcing '
'staff to rely on manual backups. The attackers demanded a $10 '
'million ransom, which was publicly rejected by Malaysia’s '
'Prime Minister. Qilin claimed to have stolen ~2 TB of airport '
'data, likely gaining access via phishing against '
'supplier/contractor accounts rather than exploiting technical '
'vulnerabilities. The incident underscores the role of human '
'error and third-party risks in critical infrastructure '
'breaches.',
'impact': {'brand_reputation_impact': 'High (Public Rejection of Ransom, '
'Media Coverage)',
'data_compromised': '2 TB (Claimed by Qilin)',
'downtime': '10+ hours',
'identity_theft_risk': 'Potential (If PII in Stolen Data)',
'operational_impact': ['Manual Processes (Whiteboards/Paper Logs)',
'Passenger Delays',
'Service Disruptions'],
'systems_affected': ['Flight Information Displays',
'Check-in Systems',
'Baggage Handling Systems',
'Potential Supplier/Contractor Systems']},
'initial_access_broker': {'backdoors_established': 'Likely (Given Data '
'Exfiltration Claims)',
'data_sold_on_dark_web': 'Unconfirmed (But 2 TB '
'Data Theft Claimed)',
'entry_point': 'Phishing (Supplier/Contractor '
'Accounts)',
'high_value_targets': ['Flight Information Systems',
'Check-in Systems',
'Baggage Handling',
'Operational Data']},
'investigation_status': 'Ongoing (No Public Detailed Forensic Report)',
'lessons_learned': ['Human error and third-party risks remain critical attack '
'vectors in complex ecosystems like airports.',
'Supplier/contractor accounts require stricter access '
'controls and monitoring.',
'Phishing resistance (e.g., MFA, training) is essential '
'for all ecosystem partners.',
'Manual backup processes are vital for operational '
'continuity during cyber incidents.',
'Public rejection of ransom demands can deter future '
'attacks but may prolong recovery.'],
'motivation': 'Financial Gain (Ransom Demand)',
'post_incident_analysis': {'corrective_actions': ['Mandate ISO 27001 '
'compliance for all vendors '
'in the airport ecosystem.',
'Implement stricter '
'third-party access '
'controls (e.g., MFA, least '
'privilege).',
'Enhance phishing '
'resistance through '
'training and technical '
'controls.',
'Segment critical systems '
'to limit blast radius of '
'future breaches.',
'Develop joint incident '
'response plans with key '
'suppliers/contractors.'],
'root_causes': ['Phishing vulnerability in '
'supplier/contractor accounts.',
'Lack of robust access controls or '
'MFA for third-party access.',
'Human error (e.g., clicking '
'malicious links or failing to '
'verify requests).',
'Interconnected systems with '
'shared dependencies (e.g., APIs '
'between vendors).']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (2 TB Claimed)',
'ransom_demanded': '$10 million USD',
'ransom_paid': 'No (Publicly Rejected)',
'ransomware_strain': 'Qilin'},
'recommendations': ['Implement ISO 27001 frameworks to standardize security '
'across vendors and internal teams.',
'Enforce multi-factor authentication (MFA) for all '
'third-party access.',
'Conduct regular phishing simulations and security '
'awareness training for staff and suppliers.',
"Adopt a 'deny by default' access policy for sensitive "
'systems.',
'Segment critical systems (e.g., baggage handling, '
'check-in) to limit lateral movement.',
'Develop and test incident response plans involving '
'manual workflows for critical operations.',
'Audit third-party vendors for compliance with security '
'standards (e.g., ISO 27001).'],
'references': [{'source': 'BookFlowGo Blog Post (Cyber Incident Description)'},
{'source': 'Qilin Ransomware Gang Statement (Claimed '
'Responsibility)'},
{'source': 'Malaysia Prime Minister’s Public Statement (Ransom '
'Rejection)'}],
'response': {'communication_strategy': ['Public Rejection of Ransom by Prime '
'Minister',
'Limited Technical Disclosure'],
'containment_measures': ['Isolation of Affected Systems',
'Manual Backup Processes'],
'incident_response_plan_activated': 'Yes (Assumed, Given Manual '
'Workarounds)',
'law_enforcement_notified': 'Likely (Given Public Statement by '
'Prime Minister)',
'recovery_measures': ['System Restoration from Backups '
'(Assumed)']},
'threat_actor': 'Qilin Ransomware Gang',
'title': 'Ransomware Attack on Kuala Lumpur International Airport (KLIA)',
'type': ['Ransomware', 'Data Breach', 'Operational Disruption'],
'vulnerability_exploited': ['Human Error',
'Third-Party Supplier Weakness',
'Lack of Multi-Factor Authentication (Assumed)',
'Insufficient Access Controls (Assumed)']}