The UAE's "Blink" platform revealed that there are implications in the investigations suggesting that the breach at Rafik Hariri International Airport could be internal, aimed at causing discord, especially since devices are not connected to the internet. According to this, despite denials, investigations are ongoing with four employees at the airport.
The investigation conducted by the platform stated: "Lebanon has witnessed significant turmoil since Sunday, following a cyberattack that targeted electronic screens inside Beirut International Airport. This attack displayed anti-Hezbollah content through the flight screens in the airport."
What happened?
Around 5 PM on Sunday, travelers at Beirut airport were surprised by the change of content on the electronic screens that were broadcasting departure and arrival times. Passengers realized at the moment of the breach that the normal data disappeared, replaced by a message that read: "In the name of God and the people... Rafik Hariri Airport is not Hezbollah's or Iran's airport... Hassan Nasrallah, you will not find support if Lebanon is embroiled in war for which you are responsible... We will not fight on behalf of anyone... You took our port, and now you want to take our airport due to arms entering... Let the airport be liberated from the grip of the statelet."
The breach did not only disrupt the airport screens but also stopped the operation of luggage trolleys for departing passengers. Fadi Hassan, the Director General of Civil Aviation, stated during a tour with journalists at Beirut Airport on Monday that "the screen malfunctions have been fixed by 100% in the arrival and departure halls and across the passenger terminal, and everything is back to normal."
He added: "Regarding luggage trolleys, we are still coordinating with the contracted maintenance company at the airport to restore the situation, noting that the check-in process for departing passengers is proceeding normally, with no delay in manually checked luggage."
Exclusive Information for "Blink"
The Minister of Public Works said in a press conference that there have been no arrests in the breach case, but "Blink" indicated that about four employees and administrators at the airport have been detained since last night. Initial indications suggest that the breach may have occurred from within the airport intentionally, thus ruling out the "external breach" hypothesis.
"Blink" sources also state that the screen system is not connected via the internet but is internal, and the computer broadcasting the departure and arrival data is not linked to the internet. The data obtained by "Blink" is corroborated by Saloum Dhadah, a communications and informatics engineer, who revealed that the airport's operating system is "intranet" and not "internet," meaning it is not accessible from the internet, and therefore, the breach must have occurred from within.
Dhadah clarified that what happened can only occur through an employee and not through an "external hacker," indicating that the hacking operation required a direct action within the airport to make changes to the operating system.
Roland Abi Najm, a cybersecurity expert, told "Blink" that all indications suggest the breach would be internal. He said, "If there is a possibility of an external breach, then the airport management and relevant authorities must be held accountable." He added that "the operating systems should be separate from one another inside the airport, so that in the event of a specific breach, damage can be controlled and contained to prevent it from being extensive."
Abi Najm criticized the inconsistency in the Minister of Public Works's statements regarding the incident, saying, "Yesterday, he claimed the breach came from outside, then today he stated he could not confirm whether the incident resulted from an internal or external breach, which raises questions about the truth."
"Blink" reported that investigations are ongoing to determine whether this breach aimed to create confusion in the airport to facilitate a massive smuggling operation. Abi Najm did not rule out that possibility, mentioning, "There are questions about the coincidence of the malfunctioning of the airport screens, which displayed a message coinciding with the stoppage of luggage trolleys... What is the reason behind that? What happened could raise suspicions that the screen outage was intended to distract attention from other things that may have occurred secretly within the airport, including smuggling operations, and security forces must answer these questions and clarify the reality of these legitimate doubts."
He continued: "What does it mean when he says a new server for the screens is now operational after the breach incident? The direct implication here suggests that the old server is no longer operational or has completely collapsed."
On the matter of the "old server," Dhadah mentioned that the security agencies might have set it aside for investigation regarding what happened with it, and that it is not necessarily out of service. Regarding the luggage trolleys, Dhadah noted, "The systems of that equipment are connected to passenger reservations, so a failure in departure and arrival data could contribute to the malfunction of those trolleys, as they may be interconnected."
Sources informed "Blink" that the passenger data system is subject to a special technical protection system, and it was not breached yesterday. Furthermore, airport technicians, during the investigations, did not notice any technical changes in that data, thus no breach appeared.
Notably, the breach that occurred did not lead to changes on Beirut Airport's website, as the data there remains unchanged.
