- Overview of the August 2024 Port of Seattle Cyber Attack
- Tactics, Techniques, and Procedures (TTPs) Observed
- Detection Rules and Forensic Artifacts
- Mitigation Recommendations and Hardening Steps
Overview of the August 2024 Port of Seattle Cyber Attack
In August 2024, a cyber attack hit the Port of Seattle, which also operates the Seattle-Tacoma International Airport. The attack impacted websites, phone systems, and internal applications, ultimately resulting in the exposure of sensitive data belonging to over 90,000 individuals.
The Rhysida ransomware group has claimed responsibility for the breach, exploiting legacy systems to exfiltrate personally identifiable information (PII) including Social Security numbers, driver’s license data, and partial medical records. Approximately 71,000 Washington residents were affected, underscoring the widespread impact of this coordinated operation.
Operational disruptions included downtime for the Port’s primary website, the flySEA mobile app, and passenger-facing information systems. Although payment systems and air traffic control remained unaffected, the attack caused significant travel delays and affected public confidence in critical infrastructure cybersecurity.
Tactics, Techniques, and Procedures (TTPs) Observed
Based on available threat intelligence, the Rhysida group leveraged multiple MITRE ATT&CK techniques to gain initial access, escalate privileges, and deploy ransomware payloads:
- Initial Access – T1078: Valid Accounts: Likely exploited compromised VPN or Active Directory credentials through brute-force or credential stuffing attacks.
- Execution – T1059: Command and Scripting Interpreter: PowerShell was used extensively for lateral movement and reconnaissance.
- Defense Evasion – T1562.001: Disable or Modify Tools: Windows Defender exclusions were programmatically configured to allow ransomware payload execution.
- Exfiltration – T1041: Exfiltration Over C2 Channel: Data was staged and exfiltrated using HTTPS via compromised proxy servers.
- Impact – T1486: Data Encrypted for Impact: Files across network shares and workstations were encrypted using AES-256 encryption.
Full TTP alignment with MITRE can be found on MITRE ATT&CK Framework.
Network Indicators and Behavioral Artifacts
# Wireshark filter for exfiltration over HTTPS
http.request.full_uri contains ".onion" or tls.handshake.extensions_server_name contains "rhysida"
# Suspicious PowerShell command execution
powershell.exe -EncodedCommand [Base64EncodedPayload]
Detection Rules and Forensic Artifacts
The following Sigma rules and forensic indicators can be used to detect Rhysida-related activity observed in the Port of Seattle data breach:
Sigma Rule – Suspicious PowerShell and LOLBins Usage
title: PowerShell EncodedCommand Execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: powershell.exe
CommandLine|contains: "-EncodedCommand"
condition: selection
level: high
YARA Rule – Rhysida Payload Detection
rule RhysidaRansomware
{
meta:
description = "Detects Rhysida ransomware payload"
author = "Security Team"
strings:
$a1 = "RHYSIDA" ascii
$a2 = { 89 4F 55 52 20 46 49 4C 45 53 } // "YOUR FILES"
condition:
all of them
}
Forensic Evidence
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\* - Scheduled Tasks:
schtasks /query /fo LIST | findstr /i rhysida - Persistence Mechanism: Base64-encoded scripts in
C:\Users\Public\directories
Mitigation Recommendations and Hardening Steps
To prevent similar incidents, security teams are advised to implement the following measures:
Active Directory and Credential Hardening
- Enforce MFA for all VPN and RDP access
- Audit dormant accounts and disable or remove unused credentials
- Implement strict lockout policies to deter brute-force attacks
Endpoint and Network Controls
- Deploy advanced EDR solutions with behavioral analytics
- Restrict PowerShell execution using GPO:
Computer Configuration > Policies > Windows Components > Windows PowerShell > Turn on Script Execution - Monitor lateral movement via Sysmon Event ID 3 (Network Connection)
Patch and Legacy System Management
- Segment and monitor legacy systems; restrict access to essential personnel only
- Apply virtual patching through WAF or endpoint isolation tools
- Maintain a hardened gold image baseline for critical systems
Conclusion
The August 2024 cyber attack on the Port of Seattle underscores the vulnerabilities present in aging infrastructure and the need for proactive threat detection and response. As ransomware actors increasingly target public sector and transportation domains, defenders must prioritize segmentation, real-time monitoring, and post-exploitation activity analysis. For additional guidance on enhancing your organization’s defensive posture, refer to our related posts on server hardening, threat detection, and zero-day incident response.