First, smoke curled out from the cube of packages stacked on a pallet at a DHL logistics hub near Birmingham, England, last July. Then a lick of flame emerged from the top of the stack. Racing to prevent the fire from spreading, a forklift operator snatched up the burning pallet and dashed away with it, setting it down at a safe remove before the stack turned into a roaring bonfire.
Not long after, 600 miles to the east, inside another DHL logistics hub in Leipzig, Germany, a similar scene played out. Then, according to Polish media, a third courier-related fire started near Warsaw. Polish officials say they intercepted yet another device before it went off and arrested at least four suspects. Another suspect was arrested in Lithuania, according to The Wall Street Journal, and charged with sending four of the devices from the capital city of Vilnius.
An incendiary device made of a magnesium-based substance had apparently sparked each fire. Investigators suspect that the sabotage was organized by Russia’s military intelligence agency as part of an ongoing campaign to sow chaos across Western Europe.
The packages that erupted in Germany and England were both scheduled to be shipped on planes operated by DHL, the global logistics company headquartered in Germany. One had arrived at the warehouse via air freight, and one was about to be loaded. Magnesium fires are particularly dangerous because dousing them with water only makes the fire worse; a special powder has to be used. The fire that ignited in Poland took two hours to extinguish, per local reports. If any of the packages had ignited in the cargo hold of a plane in flight, there would have been no easy way to prevent it from leading to one of the most feared and deadly in-flight disasters: a runaway fire that consumes oxygen and fills the air with poisonous smoke and fumes far too quickly for the pilots to get the plane on the ground. “It would have resulted in a crash,” Thomas Haldenwang, the former head of Germany’s domestic intelligence department, told German parliament. People could have been killed on the ground, and many more could have died if the devices had gone off on a passenger flight.
But the DHL attacks, scary as they are, are not the end. They are among a number of recent events that threaten to upend air safety. Civil aviation around the world is now under sustained attack, both on the ground and in the air. The ongoing aggressions encompass sabotage and hijacking as well as more modern kinds of strikes, such as breaching databases, tampering with navigational systems, and potentially even the hacking of onboard systems. While the aviation industry is aware of the danger, there has been no organized effort that has kept pace with the rate of cybersecurity attacks. Krishna Sampigethaya, chair and professor at the Cyber Intelligence and Security Department at Embry-Riddle Aeronautical University, a leading American aviation institution, says some steps have been taken, but “it’s an open and attractive space for attackers to target.”
For decades, air travel has been the safest way to get around. Year after year aircraft engineers, airlines, and regulators have relentlessly honed the procedures for making, maintaining, and operating aircraft in order to narrow the margin for bad events. “Rules are written in blood,” the saying goes. The aviation industry fetishizes the following of procedures so that parts don’t break and crews don’t make dangerous mistakes. This is the core tenet of safety: eliminating opportunities for accidents.
Safety is only part of the equation, though. The other part is security: defending against deliberate action. The first known case of an airplane hijacking was in 1931, when revolutionaries attempted to seize a Ford Tri-Motor plane in Peru. By the late ’60s, hijackings had become a weekly occurrence throughout the world, prompting officials to introduce the first anti-hijacking security measures, such as metal detectors and X-ray machines. Then came 9/11, which ushered in the era of sock-footed shuffling through 3D scanners.
TSA checkpoints and other security measures have appeared to be successful at warding off attackers with bombs and box cutters. But another class of potential perpetrator—or “threat actor,” in security speak—is capable of advanced measures that are much more difficult to detect. Nation-state threat actors can tap the resources, talent, and funding of an entire country to plan and carry out malicious acts—and they don’t even need to be in the airplane, or at the airport.
Historically, nations have largely avoided attacking one another in the air. Save for a few conflicts that have occurred at moments of perilously high political tension, the international order has treated air travel as sacrosanct, a parallel realm in which aircraft of all nations are allowed to pass unmolested. The International Civil Aviation Organization, the United Nations agency that governs aviation, provides guidelines for countries to charge airlines for using their airspace, and these so-called overflight fees can be one of the rare sources of foreign revenue for rogue nations like Myanmar and North Korea.
According to the Chicago Convention of 1944, which laid the underpinnings for international aviation law, signatory nations “must refrain from resorting to the use of weapons against civil aircraft in flight” and “the lives of persons on board and the safety of aircraft must not be endangered.” To intentionally shoot down, blow up, or otherwise endanger an adversary’s passenger vessel would be an overt act of war on par with the sinking of the Lusitania in 1915.
But the world has been changing, and so have the rules that adversaries play by.
The strange disruptions began building in late 2023, striking airliners mid-flight over Ukraine and the Middle East. The anomalies spread to the Black Sea and the Baltic region, then to the Korean Peninsula—first a few here and there, then dozens, then hundreds. In the midnight dark of a red-eye cockpit, or during the afternoon tedium of a Europe-to-Asia leg, clocks can suddenly blip several minutes into the future or past, map displays can shift dozens of miles off course, and altitude readings can go haywire. “I was at 35,000 feet, and suddenly it said 1,000 feet,” recalls Akseli Meskanen, a Finnair captain and president of the Finnish Pilots’ Association.
Some planes descending to land have become so disoriented that they’ve had to abort their approach. By late April the problem had gotten so bad in Estonia that Finnair canceled all its flights to Tartu, the country’s second-largest city.
The disruptions appear to have emerged largely as a side effect of military activity related to drones. In recent years, weaponized drones have played an increasingly important role in conflicts in the Middle East and Ukraine: They are small, cheap, plentiful, and hard to detect. Electronic warfare is one of the few effective ways to deter them.
One form of electronic defense, called jamming, swamps the airwaves with noise so that GPS receivers can’t hear the satellites. Another, spoofing, creates fake signals that mimic messages from GPS satellites, misleading GPS receivers about their location.
Though specifically intended to confuse drones, these electronic countermeasures can wind up impacting huge swaths of sky. Once pilots are trained to recognize such attacks, they can respond; flight crews are advised to switch off GPS receivers and use other forms of navigation. But a third method of attack, called smart spoofing, is more nefarious and can actually manipulate a specific aircraft’s computer systems.
Todd Humphreys, a professor of engineering at the University of Texas at Austin, was among the first to demonstrate the technique, back in 2012. As he was studying the GPS protocol, Humphreys realized that a clever threat actor could almost undetectably disrupt a GPS-enabled navigation system. If you know the exact location of your target, you can send a signal that effectively lies to that target’s GPS receiver about its own position—not by very much, but just enough to convince the navigation system that it needs to correct its course. A patient attacker could keep adding slightly erroneous signals until the target is heading in a completely wrong direction.
To test the idea, Humphreys laid out cables, laptops, and antennas on the floor of his home and patched together a prototype GPS spoofer. Humphreys then set his rig to spoof his own iPhone. As he watched, the blue dot on the navigation app screen started wandering across his neighborhood, even as the phone sat perfectly still. Shortly after, Humphreys perfected his spoofing rig and miniaturized it to fit in a portable box. During a 2013 demonstration in the Mediterranean Sea, Humphreys and his colleagues were able to take over the navigation system of an $80 million superyacht and send it off course.
This kind of GPS attack is akin to hacking, since it uses knowledge of an adversary’s control system to take it over. Because the ship’s or plane’s inertial navigation system doesn’t realize that it’s receiving corrupted information, it’s virtually impossible for the system itself to recognize that something is going wrong. “Current aircraft navigation systems can’t detect it,” says Xavier Orr, cofounder of Advanced Navigation, which builds navigation systems that are resistant to interference. “If they don’t know about it, they can’t solve for it.”
Indeed, this is just what has been happening over the Baltic Sea, where the westernmost territories of Russia intercalate with Finland, Sweden, Estonia, Latvia, and Lithuania. “We have had many, many incidents where aircraft unintentionally flew into airspaces that they weren’t supposed to,” says Otjan de Bruijn, president of the European Cockpit Association.
A similar hack was apparently used by Iran to steal one of America’s top secret unmanned aircraft. In December 2011, an RQ-170 Sentinel was circling high above northeastern Iran conducting surveillance when its handlers suddenly lost control, under circumstances that remain unclear. The Sentinel descended and was captured, mostly intact, by Iran. At first the US claimed the drone had malfunctioned, but eventually it was reported that the Sentinel had likely fallen victim to Iranian electronic warfare forces, who had first jammed the drone’s links to its operators and then spoofed GPS signals to lure it in for capture. According to US aerospace reporter Stephen Trimble , the Iranians had recently received from Russia a sophisticated piece of electronic intelligence equipment called the Avtobaza, which is designed for radar signal interception and jamming.
According to Finnish officials, there were more than 1,000 reports of GPS interference in 2024.
There was little doubt, to those officials, as to who was causing the problem; many disruptive signals had been traced back to the heavily defended Russian exclave of Kaliningrad, according to reports. But why would Russia wage electronic warfare against civilian aircraft in an area hundreds of miles from the nearest conflict?
The answer has to do with Vladimir Putin’s strategic goals. Since he came to power in 1999, Putin has been trying to revive Russian greatness as it was under the czars and the Soviets. This means dominating and annexing its neighbors. Putin has repeatedly questioned the sovereignty of Ukraine and Georgia, suggesting they are breakaway republics rather than fully independent nations. Finland and Estonia also fear his imperial goal of absorbing the Baltic region.
THE BIDEN WHITE HOUSE REPORTEDLY SENT OFFICIALS TO WARN THE KREMLIN OF THE DANGER THAT COULD RESULT FROM SUCH A PLAN—AND THAT THE REPERCUSSIONS COULD BE SEVERE. THE MESSAGE SEEMINGLY GOT THROUGH; THE ATTACKS STOPPED—AT LEAST FOR THE TIME BEING.
Reviving Russian greatness is a project of immense importance for Putin, but it won’t be an easy one to accomplish. Russia is poorer, smaller, and weaker than its adversaries in the democratic West, so Putin dares not pursue his ambitions too overtly. Instead, since at least 2013, Russia has waged a wide-ranging shadow war with a grab bag of offensive techniques, from hacking and misinformation to sabotage and assassination, keeping its enemies off-balance while remaining in a “gray zone” in which the provenance of such attacks is unclear, or the level of aggression is insufficient to trigger a hot war.
“For more than two decades, the Russian government has used its cyber capabilities to destabilize its neighbors and interfere in the domestic politics of democracies around the world,” the Biden administration noted in its 2023 National Cybersecurity Strategy , adding that “Russia remains a persistent cyber threat as it refines its cyber espionage, attack, influence, and disinformation capabilities.”
In this new mode of warfare, the sky is no longer a sanctuary. Over the last decade the Kremlin and its allies have repeatedly targeted civilian aircraft. In 2014 a Russian army air-defense unit in Ukraine shot down a Malaysia Airlines passenger jet, killing all 298 aboard. In 2021 Belarus forced down an international flight over its territory to arrest a dissident aboard it. And in 2023 a plane carrying Yevgeny Prigozhin, leader of the Wagner Group, ignited midair and crashed under mysterious circumstances, just months after his mutiny against the Russian military leadership—though Russia has denied responsibility. Each act was a crime but also a flex, demonstrating the ruthlessness and determination of the Russian state and the price that could be paid by those who defy it.
In this context, the wave of GPS spoofing and jamming that has plagued the Baltics is being interpreted by many within the region as a threat and a punishment—specifically a response to Finland and Sweden’s recent accession to NATO. Their decision to join was itself made in response to Russia’s invasion of Ukraine, which was made in response to Ukraine’s attempt to peel itself away from Russian hegemony during the Maidan uprising of 2014. It is the latest escalation, in other words, in a long-enduring spiral.
One of the objectives of hybrid warfare is to keep an opponent unsure of what is happening or why. Were the DHL attacks an earnest attempt to destroy a cargo plane? A test run to lay the groundwork for a later attack? Or perhaps a feint, a distraction from other, more dangerous schemes? There was no way to tell from the physical evidence alone.
Unpredictability is the mark of a skilled gray-zone operator, and a wide range of tools and styles is an asset. A feature of Russia’s alleged campaign of disruption is that it uses different kinds of attacks. Some, like blasting an airliner out of the sky with a missile, are blunt and brutal. Others can be dazzlingly brilliant. Russia’s SolarWinds cyberattack, which bored deep into network management software between 2019 and 2020, involved techniques so ingenious that they had previously been deemed impossible. “Investigators,” Wired later reported, “were blown away by the hack’s complexity and extreme premeditation.”
A worst-case scenario is one in which Russia combines the full measure of both its cleverness and its brutality to trigger an aviation catastrophe that leaves hundreds dead with no way to tell for certain who was responsible, or even without any firm evidence that it had been an attack at all.
Western authorities have been aware of the danger of a cyberattack against aviation for some time. In 2014 the Federal Aviation Administration enlisted a Washington, DC–area consulting company to assess the cyber vulnerability of US airliners. The resulting study reported that numerous potential avenues of attack were wide open, from the design and production of aircraft to routine maintenance. It concluded that “a significant risk exists across legacy, current, and next/new generation aircraft.”
In the years that followed, cybersecurity specialists called penetration testers went to work to identify specific vulnerabilities. One such effort was organized by the Department of Homeland Security in 2016. A unit within the agency, called the Science & Technology Cyber Security Division, obtained a Boeing 757 and turned it over to a team of pen testers. Within two days they were able to find a way to break into the system remotely. It was later reported that “early testing indicates that viable attack vectors exist that could impact flight operations.”
Private investigators have had similar results. In 2018 Ken Munro, founder of the British cybersecurity firm Pen Test Partners, borrowed a disused 747 and demonstrated potential vulnerabilities in aircraft systems using an unsecured tablet computer.
So far, though, efforts to identify and remedy vulnerabilities have been piecemeal and sporadic. “Current policies and practices are inadequate to deal with the immediacy and devastating consequences that could result from a catastrophic cyber attack on an airborne commercial aircraft,” warned a 2016 DHS report, which also noted a “significant reluctance by the commercial world to expend resources to prevent penetration & attack.”
That reluctance abides today. “It’s hard to convince the aviation industry that cybersecurity isn’t just about protecting computers—new cyber-physical threats like GPS spoofing and jamming can also disrupt aircraft operations and safety,” says Sampigethaya.
Throughout 2024 Russia appeared to dramatically increase suspected gray-zone attacks against Europe. There was the alleged assassination of a prominent defector in Spain, and an apparent attempted assassination of several defense industry executives. Agents were suspected of breaking into water treatment plants in Finland and Sweden. Mysterious drones targeted a US airbase in Germany and England, and temporarily shut down an airport in Sweden. Russian ships were suspected of cutting a power cable and two data cables under the Baltic Sea. And this year a cargo ship under the alleged command of a Russian national plowed into an anchored tanker full of jet fuel for the US military, setting it ablaze.
Russian military intelligence “is on a sustained mission to generate mayhem on British and European streets,” said Ken McCallum, director general of MI5, in arare public speech. “We’ve seen arson, sabotage, and more. Dangerous actions conducted with increasing recklessness.”
The planting of incendiary devices, however, has threatened to take the temperature above a boil. According to The New York Times, US intelligence officials became convinced that the DHL warehouse incidents were part of a larger plan to target planes headed for the United States and Canada. The devices ignited after the planes had landed, but a malfunction could easily trigger a mass-casualty event because passenger planes sometimes transport smaller packages in spare cargo space. “The risk of catastrophic error was clear,” former Department of Homeland Security secretary Alejandro Mayorkas told the Times in January, just before Donald Trump’s inauguration. “These could catch fire in a fully loaded aircraft.”
Alarmed, the Biden White House reportedly sent leading security and intelligence officials to warn the Kremlin of the danger that could result from such a plan—and that the repercussions could be severe. The message got through, apparently, and the attacks stopped—at least for the time being.
The security situation in the United States has changed dramatically, and quickly. Trump is a longtime admirer of Putin and has said that he trusts Russia more than US intelligence. On January 21, his second day in power, Trump dismissed members of the Aviation Security Advisory Committee, a group set up in the wake of the Lockerbie bombing to strengthen airline and airport security. In February his defense secretary, Pete Hegseth, reportedly ordered a halt to offensive cyber operations against Russia. Given the new pro-Kremlin tilt, America’s closest intelligence allies are reportedly reconsidering whether to continue sharing secrets with US intelligence. “People are very worried,” an unnamed former US intelligence official told NBC.
The challenge in a hybrid warfare environment isn’t to identify and deal with each attack that comes your way. It’s to recognize that you’re in a hostile environment and that your adversary is constantly thinking of new ways to do harm. To that end, researchers in the field of aviation cybersecurity are constantly working to identify potential weaknesses and figure out how they could be exploited so that defenses can be erected.
One system that’s received particular attention is the Traffic Collision Avoidance System, or TCAS, which was designed in the 1980s to prevent aircraft from running into each other. Last August, Italian researcher Giacomo Longo presented a paper at a conference in Philadelphia in which he described how his team had patched together hardware and written software that could produce spoof TCAS alerts at distances up to 4.2 kilometers, or roughly 2.6 miles, away. These could cause planes to veer suddenly off course. In January the US Cybersecurity & Infrastructure Security Agency issued an alert about the vulnerability.
On January 29 an American Airlines jet carrying 64 people collided with an Army Black Hawk helicopter as it was coming in to land at Ronald Reagan Washington National Airport. The plane’s TCAS hadgiven the flight crew an audible traffic advisory about the collision 19 seconds before the crash, but further audible warnings were suppressed by design as the plane descended below a standard advisory cutoff altitude. The ensuing collision killed everyone aboard the jet and all three crew members on the Black Hawk.
About a month later, on March 1, at least a dozen planes landing at the airport reported that they were getting false TCAS warnings with no aircraft in sight. “It’s been happening all morning.… No one else has been seeing anything except for on the TCAS,” an air traffic controller told one aircraft. Three planes aborted their landings and conducted “go-around” maneuvers. “I’ve never heard of something like this,” former National Transportation Safety Board chairman Robert Sumwalt told CBS. “Nuisance alerts, yes, they happen. But not like this, where several planes have it at the same location.”
Five days later, more anomalies occurred. “Several flight crews arriving and departing Reagan Washington National Airport received onboard alerts Thursday morning indicating another aircraft was nearby although no other aircraft were in the area,” the FAA tells Vanity Fair.
Within the world of aviation cybersecurity, the ghost alerts were widely regarded as suspicious, as no one could think of how the signals involved could have been produced innocently or inadvertently.
“I find the events suspiciously compatible with the exploits outlined in my paper,” Longo tells Vanity Fair, adding that a spoofing attack is “the most plausible explanation” for the observed anomalies. It seemed to him that someone has been “using what I built for harm, and I don’t like it one bit.”
The story took a dramatic twist on March 27, when Senator Ted Cruz stated at a Senate hearing, “It’s now come to my attention that these warnings were caused by the Secret Service and the US Navy improperly testing counter-drone technology at [Reagan].” Cruz claimed that the government tests had used the same spectrum band as TCAS, causing interference and faulty resolution advisories, even though the FAA had reportedly previously warned the Navy and the Secret Service against using that specific spectrum band due to interference risks.
Is Cruz correct? “I’ve never heard of spoofing TCAS as a counter-drone tactic before,” says John Wiseman, an independent aviation researcher who investigates unusual aviation incidents using publicly available data. He points out that while some drones are outfitted with TCAS, an unmanned vehicle penetrating hostile airspace would not likely be deterred by a TCAS alert. Wiseman also is skeptical of the claim that the ghost alerts were triggered by interference in the frequency band. For a TCAS system to generate an alert, it needs to receive multiple correctly encoded digital messages received at just the right time. It’s unlikely that this could happen by accident. “It seems like it has to be intentional, not just the result of jamming,” he says.
Even if the anomalies resulted from a well-intentioned research project, the way that the testing was carried out seems strangely unprofessional. When researchers like Longo and Humphreys build their experimental rigs, they are careful to do so in shielded environments so that their signals won’t leak and cause mayhem in the real world. Such precautions would seem especially urgent less than a month after the first fatal commercial midair crash in over a decade, along a flight path that passes just one mile from the White House. “What a weird place and time to do that sort of testing,” Wiseman marvels.
A spokesperson for the Secret Service denies Cruz’s allegations, telling Vanity Fair that it “did not conduct any drone system testing in the National Capital Region on March 1, 2025. The agency has been coordinating with the FAA to ensure our systems do not interfere with FAA frequencies or commercial air traffic operations.” A representative for the Navy tells Vanity Fair it is looking into the matter.
Regardless of who is actually responsible for the ghost alerts, and whether the motive behind them was benign or malicious, the incidents appear to mark a historic turning point in the annals of US aviation: the first time that a deliberate, sophisticated spoof has disrupted commercial airliners in the national airspace.
Once there has been one, there will in all likelihood be more. Whether they occur in an environment that is complacent and vulnerable, or alert and adaptive, depends on how we react now. Until now, the threat that airliners could be hacked has been abstract and remote-feeling; it’s hard to rally vigilance for a threat that has never manifested before. But all that’s changed.
In a criminal court, a defendant is presumed innocent until proven otherwise. That standard of proof can’t apply in an adverse security environment, where attackers can strike in unforeseeable ways, the evidence itself is prone to be altered, and the stakes are human lives. When you suspect that sophisticated adversaries are intent on doing you harm, it’s irresponsible to wait for definitive proof you’ve been attacked. Sometimes you just have to expect the worst.
More Great Stories From Vanity Fair
-
How Sebastian Stan Became Hollywood’s Most Daring Shape-Shifter
-
Inside Elon Musk’s Grievance-Fueled MAGA-morphosis
-
Sinners’ End Credits Explained
-
The Original Girl of the Year
-
Elon Musk’s Breeding Spree Is So Much Wilder Than You Thought
-
Who Is Pete Hegseth’s Wife, Jennifer Rauchet?
-
Roman Reigns’s Quest to Be WWE’s Next Great Crossover Star
-
Every Quentin Tarantino Movie, Ranked
-
Tom Hanks Is Supportive of His Daughter’s Revealing Memoir About Her Troubled Childhood
-
Meet Elon Musk’s 14 Children and Their Mothers (Whom We Know of)
-
From the Archive: Pope Versus Pope: Benedict XVI, Francis, and Their Holy War
The post Exploding Cargo. Hacked GPS Devices. Spoofed Coordinates. Inside New Security Threats in the Skies. appeared first on Vanity Fair.
