Summary

This advisory analyzes the cyber incident identified at Malaysia Airports Holdings Berhad (MAHB) that impacted operations at Kuala Lumpur International Airport (KLIA) in late March 2025. Recent findings as of April 28, 2025, indicate that the Qilin ransomware group claimed responsibility for the attack, allegedly stealing nearly 2TB of data, but not encrypting it; while leaking samples of the stolen information to compel MAHB to pay the ransom. Since their alleged ransom demands have not been met by MAHB, the ransomware group is seeking buyers to sell the data.

Figure 1. Joint Statement provided by MAHB and NACSA about cyber incident on March 25, 2025

Observation and Analysis

On March 25, a joint statement from Malaysia’s National Cyber Security Agency (NACSA) and Malaysia Airports Holdings Berhad (MAHB) confirmed that a cyber incident targeting computer systems at Kuala Lumpur International Airport (KLIA) was detected on March 23, 2025. Authorities assured the public that airport operations remained unaffected while investigations were ongoing. On the same day, Prime Minister Datuk Seri Anwar Ibrahim publicly disclosed that the attackers had demanded a USD10 million ransom, which the Malaysian government firmly refused to pay.

Separately, former Member of Parliament Wee Choo Keong commented on social media about the operational disruption at Kuala Lumpur International Airport (KLIA) on March 23, 2025. He reported that the airport experienced a system outage affecting KLIA1 and KLIA2 for more than 10 hours. The disruption impacted critical services, including flight information displays, check-in counters, and baggage handling systems, forcing the airport to switch to manual operations such as using whiteboards for flight updates. Wee also noted that the network infrastructure at KLIA had previously been upgraded in 2020, and that system restoration efforts continued into the following day.

Since the initial reports on the incident from Malaysia Airports Holdings Berhad (MAHB) and the National Cyber Security Agency (NACSA), no further updates have been issued by public agencies.

Figure 2. Former PM comments on Twitter about the incident

Qilin claimed responsibility for the attack

On April 28, the Qilin ransomware group surfaced to claim responsibility for the attack, alleging that they exfiltrated over 2TB of sensitive data. The group provided screenshots purportedly showing ongoing negotiations with the victim, along with scanned identification documents, internal security forms, security layouts, internal emails, airport blueprints, internal reports, and personal data belonging to employees and passengers. Although Qilin claimed to have already leaked the stolen data, as of now, no leaked data has been publicly released.

Figure 3. Except of Qilin post about the attack.

Extortion and Pressure

Analysis of the negotiation chats leaked by Qilin indicates that the group demanded ransom payments, initially referencing an amount of USD10 million, later reducing their demands during prolonged discussions. Negotiations reportedly began on March 23, 2025, and continued until April 25, 2025, when the company ultimately refused to meet the ransom demands.

During the early stages of the negotiations, Qilin also sent threatening emails directly to MAHB employees in an attempt to escalate pressure and create internal disruption. The company's latest offer to the ransomware group reached USD1.4 million, which was rejected by Qilin.

The group provided partial samples of the stolen data, including internal documents, employee information, airport security layouts, and infrastructure blueprints, to demonstrate the severity of the breach. Throughout the communications, Qilin warned of serious consequences, including public data exposure and potential operational disruptions if no agreement was reached. In addition to the negotiation chats, Qilin released a detailed description of the leak, emphasizing the threat to the safety and functionality of airport infrastructure. The group further linked the breach to broader geopolitical risks, suggesting that the leaked data could be exploited by malicious actors. These actions indicate the use of extensive extortion tactics, applying pressure on a high-profile target while simultaneously attempting to shame the victim for engaging in negotiations.

Figure 4. Negotiations chats exposed.

Later on April 29, Qilin updated the threat post on their DLS, to reveal that they did not encrypt the data and only exfiltrated it to not disrupt flight operations, and the impact was limited to land-side airport operations on flight information system and baggage handling systems. Since, their demands for the ransom were not met, Qilin is now looking buyers to sell the data – a tactic to further compel MAHB to pay.

Analysis of Leaked Samples and Potential Impacts

The 30 compromised data samples leaked by the Qilin ransomware group include a wide range of sensitive materials related to Malaysia Airports Holdings Berhad (MAHB). The following table summarizes the analysis of leaked samples and their potential impacts:

Sample Type	Associated Risks
Employee PII	Identity theft, phishing, insider risk
IT Access Forms of Airport Employees	Phishing, Impersonation
Airport Operations Monitoring Applications	Aviation disruption, safety risk
Confidential Procurement & Financial Documents	Commercial harm, loss of investor confidence, business risk
Airport Blueprints	National security threat
Internal Emails	Governance and reputational damage
Identity Documents (IDs, passports, driving licenses)	Physical security threats, identity fraud
Access to Private Gmail Accounts of an employee & their emails communicating to MAHB business email accounts and business sensitive documents shared via private email	Business risk, social engineering
Historical Flight Status Monitoring Data	National security threat
Medical Records	Data privacy violations, legal exposure
Salary and Benefits Data	Labor relations issues, employee dissatisfaction
Marriage and Civil Records	Personal privacy violation, identity exploitation
ATC Radar Display Panel Access	Critical aviation operational risk
Advanced Surface Movement Guidance and Control System (A-SMGCS) Access	Operations & National Security Risk

Figure 2. Samples of data stolen.

Conclusion

The Qilin ransomware group engaged in extensive extortion tactics, including ransom demands, employee harassment, and public threats, while negotiations reportedly lasted from March 23 to late April 2025. Nevertheless, the data samples analyzed—ranging from airport and flight operations systems, building blueprints, employee personal data, financial forecasts, and sensitive internal communications—highlight significant gaps that could have cascading effects on aviation safety, national security, and public trust. The incident also exposed the challenges faced by organizations in balancing incident response, negotiation pressures, and public transparency.

Assessment of the Actor & Information

Considering previous confirmed incidents involving Qilin and correlating the timeline between the initial public statements regarding the incident and the negotiations reflected in the leaked chat logs, we assess the reliability of Qilin as B - Usually reliable.

Based on our overall analysis of the threat actor’s claims and the acknowledgment by the Malaysian company of a cybersecurity incident impacting their infrastructure, we assess the credibility of the threat actor’s claims as 2 – Probably true

"Assessment of the source/threat actor & information" - NATO's Admiralty Code

This section includes our researchers/analysts' assessment based on NATO's admiralty code rating system. This rating system provides our researchers with a standard method to assess the reliability of the Source or Threat Actor/group being covered in cybercrime advisory, the credibility of actor's claims or information derived from our sources.

The following table is referenced by researchers while assigning the ratings:

Reliability of Source/Threat Actor	Credibility of Information/Threat Actor's claims
A - Completely reliable	1 - Confirmed by other sources
B - Usually reliable	2 - Probably true
C - Fairly reliable	3 - Possibly true
D - Not usually reliable	4 - Doubtful
E - Unreliable	5 - Improbable
F - Reliability cannot be judged	6 - Truth cannot be judged

The above assessment ratings will be assigned based on the parameters described by

NATO's admiralty code rating system as follows:

"Reliability of Source/Threat Actor"

A - Completely reliable: No doubt of authenticity, trustworthiness, or competency; has a

history of complete reliability

B - Usually reliable: Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information/claim most of the time

C - Fairly reliable: Doubt of authenticity, trustworthiness, or competency but has provided valid information/claim in the past

D - Not usually reliable: Significant doubt about authenticity, trustworthiness, or competency but has provided valid information/claim in the past

E - Unreliable: Lacking in authenticity, trustworthiness, and competency; history of invalid information/claim

F - Reliability cannot be judged: No basis exists for evaluating the reliability of the source/actor

"Credibility of information/Threat Actor's claims"

1 - Confirmed by other sources: Confirmed by other independent sources; logical in itself; Consistent with other information/claim on the subject

2 - Probably True: Not confirmed; logical in itself; consistent with other information/claim on the subject

3 - Possibly True: Not confirmed; reasonably logical in itself; agrees with some other information/claim on the subject

4 - Doubtful: Not confirmed; possible but not logical; no other information/claim on the subject

5 - Improbable: Not confirmed; not logical in itself; contradicted by other information/claim on the subject

6 - Truth cannot be judged: No basis exists for evaluating the validity of the information/claim

Qilin Ransomware Group Claims Attack on Malaysia Airports Holdings