Countdown on the Dark Web

Hackers Put Pressure on Vienna Airport

Security-related areas at Vienna International Airport are not affected (file photo)(Bild: P. Huber)

An unpleasant incident is keeping Vienna Airport’s cyber defense team on high alert. A hacker collective posted a countdown on the dark web and is threatening to release additional documents. In response to an inquiry from the “Krone,” the airport emphasized that it is taking the matter seriously. However, security-related documents do not appear to be affected.

A black background featuring the URL viennaairport.com—which is not unknown in Austria—in white letters. Above it, displayed in red, is a countdown set to expire at midnight on Monday. It originates from the notorious hacker group “APT73,” also known as “Bashe,” and was recently published on the dark web. The criminals came to the attention of the general public in 2024 when they apparently stole highly sensitive data from a Hong Kong investment firm and subsequently blackmailed the company with the documents.

The first shipping documents have already been published.(Bild: APT73)

Group Buys Stolen Data from Other Hackers
In other cases as well, financial and technology companies in particular were targeted. The group, which now appears to have singled out Vienna International Airport as its victim, typically pursues purely monetary goals. What’s particularly concerning: No one knows for sure yet who the hacker is who breached the systems at Schwechat. “APT73” also offers “ransomware as a service” on the side. This is a model in which private hackers can publish their stolen data sets via “APT73” and profit financially from the extortion attempts. 

Security-related areas at Vienna International Airport are not affected (file photo)(Bild: P. Huber)

Airport operations have not been affected in any way and are proceeding as scheduled. Passenger-related or mission-critical data has not been compromised.

Flughafensprecher Peter Kleemann zur „Krone“

Bild: Flughafen Wien

Airport Operations Unaffected
The new target of “APT73” is apparently Schwechat in Lower Austria. In response to an inquiry from the “Krone,” airport spokesperson Peter Kleemann confirmed that as-yet-unknown individuals had breached an airport system. However, airport operations are “in no way affected and are proceeding as scheduled.” Passenger-related data is also not believed to be affected. “The airport is currently working to investigate the matter, is in contact with the relevant authorities, and has brought in external cybersecurity experts in addition to its own IT department,” said Kleemann. 

No one knows for certain yet who the hacker is who breached the systems at Schwechat.(Bild: jfhp - stock.adobe.com)

A private jet operator was also recently targeted
“Krone” cybersecurity expert Dr. Cornelius Granig knows who the hacker group is. According to international law enforcement agencies, the criminal group threatening the airport with the publication of allegedly stolen data offers a wide range of criminal services in exchange for payment in cryptocurrency, Granig explains. He adds: “In exchange for a kind of admission fee, outsiders can join as partners and carry out extortion attacks together with the group.” “Particular caution is advised” when evaluating the published data. 

Both the origin and the authenticity and timeliness of the presented data should be carefully verified before drawing any conclusions.

Cyberexperte Dr. Cornelius Granig

Bild: Imre Antal

Shipping documents apparently in the criminals’ possession
A silver lining: According to information from “Krone,” the hackers appear to have gained access—at least so far—only to a single employee’s computer. Therefore, it is unlikely that they gained access to security-sensitive documents, which are naturally abundant in airport operations.  According to Peter Kleemann, the documents in question were “old cargo documents from the year 2025” that were likely stolen through a phishing attack. In fact, documents are already circulating on the dark web, including some related to the transport of Glock pistols and chemicals. He confirms that the hackers have not yet made direct contact.