Compromised Airport Infrastructure
Case 02
Evidence Provided
- One Snort-IDS-Squil .jpg-file
- Two pcap files
- Three text files containing different types of logs
Second case for the Cyberops course, worked together with my course buddy JJ (thanks btw). This investigation focused on analyzing suspicious activity at a compromised airport infrastructure system.
Scenario: Nangijala International Airport (NanInt) is a moderately busy but relatively small international airport with its own IT department managing the airport network. The network hosts various services, most of which are maintained by external vendors via encrypted remote connections.
External systems are accessed only through VPN tunnels from designated devices or networks, ensuring secure communication. One such externally maintained system is the AirPortSys flight information display system, managed by HaiTek Ltd.
Recently, the airport noticed that the display system was behaving abnormally, showing random content despite appearing operational externally. HaiTek maintains network monitoring and an intrusion detection system (IDS), but lacks resources for real-time analysis, and also keeps system logs. Backups of all AirPortSys servers from the previous day are available. NanInt also collects its own monitoring and VPN log data, all of which has been provided for investigation.
You can view the official report for our findings below. Thanks JJ!