News & resources

Special Report - Insider Threat

Back to blog

Downing of Russia's Metrojet aircraft in Egypt highlights challenges in tackling 'Insider Threat' in aviation sector



On 31 October, a Russian Metrojet passenger plane (Flight 9268) crashed in the Sinai desert, killing all 224 passengers and crew on board. The Airbus A321 plane took off from Sharm el-Sheikh airport at 05:58 local time and disappeared from radar screens six minutes later. There were no distress signals sent by the plane nor received by air traffic controllers.

Speculation mounted over the cause of the crash, and finally on 17 November Russian investigators acknowledged that it was an act of terror. Prior to this, American and British authorities strongly speculated that the crash was terrorist related, with a local affiliate of Islamic State of Iraq and Syria (ISIS or IS) named as the prime suspect.

A US official said that American intelligence agencies had evidence that an IS suspect had planted an improvised explosive device (IED) on the plane. They came to this tentative conclusion based on intercepted IS communications. Additionally, a US military satellite reportedly detected a 'heat flash' over the Sinai at the time of the crash. British investigators added that someone, who had access to the aircraft's baggage compartment, inserted an IED on top of or inside a passenger's luggage.

Russian news outlet Kommersant, citing an anonymous source, reported that the IED was planted under a passenger seat in the rear of the plane. US Congressman Peter King said that there was no one on the passenger manifest with connections to terrorism, adding further credibility to the insider threat scenario. As of 17 November, Egyptian authorities detained two suspects employed at Sharm el-Sheikh airport in connection with the bombing.

Although IS Sinai offshoot, Wilaya Sayna (Sinai Province), immediately claimed responsibility for the attack, until further investigation and analysis of Metrojet's flight data recorder and cockpit voice recorder are made by the authorities, corroboration and a definitive conclusion on the cause are unlikely going to be made. However, with the admission that the plane was downed due to a terrorist attack and one potentially borne from an insider threat, anxiety levels across the aviation and supply chain sectors, as well as within the travelling community, are likely to be raised.

Recent IS planned attacks point to the organisation's tactical nous, resolve, capability and intent to exploit security loopholes at Sharm el-Sheikh, and there is an inescapable possibility that they will be actively targeting other air hubs and/or aviation companies. This relatively small regional airport had measures and policies in place to mitigate the terror threat, and ironically, a British inspection team vetted and allegedly cleared the airport just weeks before the crash.

The downing of the Russian airliner was just one of a series involving IS or its affiliates, and the following incidents highlight their threat to the aviation sector.

Attempts and incidents against the aviation sector

  • On 4 August, Iraqi authorities arrested Mohammed Humad Khlefani, his son and a security officer at Baghdad International Airport. According to reports, the security officer provided Khlefani access to the airport with the intention of sabotaging any Iraqi Airways aircraft scheduled to fly to the norther city of Erbil.
  • On 24 August, police revealed that Boko Haram, the West African IS affiliate, sent a 14-year-old boy to Nnamdi Azikiwe International Airport in Abuja, Nigeria to carry out hostile surveillance activity for the organisation. The Department of State Service later announced that Boko Haram had planned to attack the airport with IED's.
  • On 10 May, and Australian IS member, Neil Prakash (nom de guerre: Abu Khaled al-Cambodi) claimed on Twitter that IED's had been planted on separate Etihad (FL EY650), Turkish (IST1305) and Lufthansa (1305) flights that originated from Abu Dhabi. Each passenger jet was diverted and later discovered to have no bombs on board.
  • On 14 January, an alleged IS affiliated cyber group hacked a Facebook page of Air Koryo, a North Korean airline, and posted a message denigrating North Korean president Kim Jong-Un.

A perpetual threat and countermeasures are under strain

IS and its affiliates have demonstrated their threat to the aviation sector on numerous occasions, and the possibility of insider threat add another layer of complexity and uncertainty.

Propagandising this attack and others has become routine tradecraft, amplifying anxieties across the industry and sending a sobering reminder to the traveller. Governments have responded by implementing more robust security measures, which is a tacit acknowledgement of the vulnerability existing in the current systems. Airport and aviation operators are likely to insist upon further measures to guarantee safety and monitoring the insider threats, which present the Achilles heel at their locations.

Screening and vetting procedures of airport and aviation staff are fairly routine and mainly take place during the pre-employment stages. However, they are only as effective as their frequency and enforcement in application. Workplace surveys and personnel psychological evaluations are just some of the programmes to assist in reducing any potential risks. These programmes can provide useful information, and they should be considered as an element in any organisation's risk management or threat prevention programme.