Boryspil Airport Cyberattack: NotPetya, OT/IT Convergence, and the Aviation Warning

NotPetya and Boryspil: What Happened

NotPetya propagated via a compromised update to MeDoc — accounting software widely used in Ukraine. The malware spread through networks using stolen Windows credentials (via Mimikatz) and the EternalBlue SMB exploit developed by the NSA and leaked by the Shadow Brokers group. At Boryspil, NotPetya propagated through the airport's IT network and reached systems that controlled airport operations:

• Departure boards and passenger information systems disrupted — passengers had no information on flights
• Check-in and ground handling systems affected — creating operational disruption across the airport
• Administrative and back-office systems encrypted — staff unable to access operational data
• The disruption demonstrated that IT and OT networks at the airport were insufficiently segmented — NotPetya was able to propagate from enterprise IT into operational systems
• Ukraine's air traffic management was also affected — Boryspil was not the only aviation infrastructure hit in the NotPetya wave

The IT/OT Convergence Lesson

The core lesson of Boryspil for aviation cybersecurity is the IT/OT convergence risk. Airport operational technology — departure systems, baggage handling, airfield management, building management — is increasingly networked and increasingly connected to enterprise IT networks. When those IT networks lack effective segmentation:

• Malware that enters via a phishing email or compromised software update can propagate to operational systems
• Attackers who compromise an IT network can pivot to OT systems without crossing a meaningful security boundary
• The blast radius of an IT incident extends to operational systems that cannot safely be taken offline
• Recovery from OT system compromise is significantly more complex than recovery from IT system compromise — OT systems cannot simply be wiped and rebuilt
• The safety implications of OT compromise in aviation environments are qualitatively different from IT compromise in enterprise environments

GRU Attribution and Nation-State Aviation Targeting

NotPetya was attributed by the UK government, US government, and cybersecurity researchers to Sandworm — a threat actor operating within Russian military intelligence (GRU). The deployment of NotPetya as a destructive cyberattack against Ukrainian infrastructure, with collateral damage globally, demonstrated that aviation infrastructure is in scope for nation-state cyber operations. Aviation OT systems at airports, air navigation service providers, and airlines face threat actors with capabilities and motivations that are qualitatively different from financially motivated ransomware groups. This nation-state threat dimension is explicitly acknowledged in CAA CAP 1753 and EASA Part-IS materials.

What Boryspil Means for Aviation OT Security Today

The Boryspil incident continues to inform aviation OT security requirements:

• IT/OT network segmentation: The absence of effective IT/OT boundaries at Boryspil allowed propagation — this is now the primary OT security requirement in all aviation frameworks
• Patch management: NotPetya exploited EternalBlue — an SMB vulnerability patched by Microsoft two months before the attack. Systems with applied patches were resistant.
• Credential hygiene: NotPetya's lateral movement used stolen credentials. MFA and privileged access management limit the effectiveness of credential-based lateral movement.
• OT incident response: Aviation operators must plan for OT system disruption specifically — the manual procedures and recovery approaches for OT failures differ from IT
• Supply chain security: NotPetya entered via MeDoc's update mechanism — a supply chain attack. Software supply chain security is now a specific requirement in EASA Part-IS.

Frequently Asked Questions