Ryanair Sun B738 near Minsk on May 23rd 2021, Greece calls diversion states hijack

Last Update: July 20, 2022 / 12:54:35 GMT/Zulu time

Bookmark this article
Incident Facts

Date of incident
May 23, 2021

Classification
Incident

Airline
Ryanair Sun

Flight number
FR-4978

Departure
Athens, Greece

Destination
Vilnius, Lithuania

Aircraft Registration
SP-RSM

Aircraft Type
Boeing 737-800

ICAO Type Designator
B738

On Jul 20th 2022 ICAO released their final fact finding report essentially reporting, that according to Swiss Authorities, who investigated the account on protonmail based in Switzerland, that sent the e-mails, 6 mails were sent from that account in total, between 09:25Z and 09:34Z 5 e-mails were sent to Vilnius, Athens, Sofia, Bucharest and Kiev Airports, however no e-mail and no information had gone out of Belarus, Belarus received their first e-mail only at 09:56Z after the aircraft had already been informed about the bomb threat and had already initiated the descent towards Minsk. None of the e-mails to Vilnius, Athens, Sofia, Bucharest or Kiev was accessed/read until the next day. Belarus Authorities provided a screenshot - without the mail headers - of that mail claimed to have been received by Minsk Airport at 09:25Z, which is identical to the screenshot of the later mail received at 09:56Z, the latter screenshot however also showing the mail header. The report thus points out that the authenticity of the screenshot of the Screenshot of the Mail claimed to have been received by Minsk Airport at 09:25Z can not be established.

The report concludes (and points out missing information):

5.1. As stated in paragraph 3.1 e) of its Terms of Reference, the FFIT was expected to “identify pieces of information potentially missing and that would be necessary to complete the investigation”. As indicated in paragraph 1.5 above, some specific information, including critical information indicated in the Analysis section of this report as highlighted below, was requested but not made available to the Team. Considering the above, the Team’s conclusions below are based exclusively on the information availed to it as of the time of this report.

5.2. According to the authorities of Belarus, a first email was received at 09:25 UTC (12:25 local) followed by a second email at 09:56:45 UTC (12:56:45 local), both containing identical information about the bomb threat. On the other hand, information obtained from Switzerland through the authorities of Lithuania shows that only the second email was sent to Minsk Airport at 09:56:45 UTC (12:56:45 local). The FFIT was not able to verify that the first email was effectively received at 09:25 UTC (12:25 local) as the authorities of Belarus did not provide logs of the email server airport.by nor the email files containing the threat messages saved in their original format including their metadata, citing their erasure in accordance with their data retention policy. The receipt of the first email is crucial to explain the basis for the communication of the bomb threat by Minsk ACC to the flight crew, which occurred at 09:30:49 UTC (12:30:49 local). In the absence of the first email, it could be presumed that the information about the bomb threat would have been obtained by the authorities of Belarus by other means, which the FFIT could not establish. If the first email was in fact received at Minsk Airport, the diversion of the flight to Minsk Airport could be considered to be a tenable option in view of the circumstances.

5.3. The FFIT could not corroborate the information provided by the authorities of Belarus regarding the transmission by phone of the contents of the threat email from airport personnel to Minsk ACC personnel leading to the notification of the threat to RYR 1TZ. As cellular phone records of the personnel involved documenting the time and duration of the calls and person or entity contacted were not made available, those statements could not be supported by evidence.

5.4. As neither a bomb nor evidence of its existence was found during pre-departure screening in Athens Greece and after various searches of the aircraft in Belarus and Lithuania, it is considered that the bomb threat was deliberately false. Knowingly communicating false information which endangers the safety of an aircraft in flight is an offence under Article 1 (1) (e) of the Montréal Convention.

5.5. Prior to the issuance of the report in January 2022, the FFIT was neither able to meet with, nor interview the Minsk ACC controller who was assigned to the RYR 1TZ flight. The authorities of Belarus informed the Team that this individual did not report for duty after his summer leave and that they had no information on his whereabouts and no way to contact him. Subsequently, with the assistance of the authorities of the United States, the FFIT gained access to interview the controller whose testimony materially contradicts the information and materials provided by the authorities of Belarus about the events of 23 May 2021 including with regard to the email as the origin of the bomb threat information, and reflects the involvement of an unidentified individual who had been given access to the Minsk ACC.

5.6. The authorities of Belarus did not provide the FFIT information demonstrating that attempts were made to contact the Operator (RYR or RYS) for the purposes of meeting the obligations contained in Annex 11, 2.24.3 and Belarus ATM Aviation Regulations, 15.12.9. to exchange information with the operator or its designated representative.

5.7. Communications were not established between the flight crew and the OCC during the flight when such communications would have been necessary in line with the operator's procedures. Had such communications between the flight crew and the OCC been established it would have impacted the course of events.

5.8. Video recordings from cameras located adjacent to aircraft parking stand 1 and inside the terminal which could have shown certain significant activities regarding the processing of passengers from the point of disembarkation and in the terminal building were not provided to the FFIT. Although short extracts of the said video recordings had been used in a documentary type video that was shared with the Team, the authorities of Belarus explained that not all recordings were available due to the length of time that had elapsed since the event. The FFIT was not provided with a satisfactory rationale to explain why records had not been preserved considering that criminal and other investigations in respect of the event had been initiated by the authorities of Belarus and had not been completed.

5.9. Inter flight-crew coordination conversations that led to their decision to divert to Minsk Airport could not be fully confirmed since the CVR circuit breaker was not pulled after landing in Minsk. As a result, the full flight-crew conversations, prior to the period when the aircraft was on short final to Minsk Airport, were not preserved.

5.10. From the evidence provided by Belarus, no escort or intercept occurred between the MIG-29 and RYR 1TZ and no communications by the MIG-29 was recorded on the radio channels used by RYR 1TZ. According to information provided by the flight crew and cabin crew, there was no communication, interaction, visual sighting or other knowledge of military aircraft involvement with the flight.

5.11. Some of the States connected to the event have issued formal requests to other States for information and assistance in connection with criminal and other investigations into the event. Such investigations could assist in establishing any missing facts relating to the event. In this regard, States and entities that have received such formal requests should be encouraged to respond as appropriate.

With respect to the receipt of the e-mail containing the bomb threat the ICAO writes:

2.2.1. According to the Department of Aviation of Belarus, on the 23 May 2021 at 09:25:16 (12:25:16 local) an email was received in the generic mailbox info@airport.by, a screenshot of which is reproduced in Appendix H.

2.2.2. The email contained the following text: “We, Hamas soldiers, demand that Israel cease fire in the Gaza Strip. We demand that the European Union abandon its support for Israel in this war. We know that the participants of Delphi Economic Forum are returning home on May 23 via flight FR4978. A bomb was planted onto this aircraft. If you don’t meet our demands the bomb will explode on May 23 over Vilnius. Allahu Akbar.”

2.2.3. The SearchInform Data Loss Prevention (DLP) Software used at Minsk Airport detected and flagged the email as containing text communicating a potential threat to civil aviation. The automated detection is based on a pre-established list of keywords in several languages, including English, and triggers alerts on the computers of the Cybersecurity and Information Technology Division, in charge of the administration and oversight of the IT network of the Minsk Airport. The threat email written in English included words which are in the pre-established list of keywords.

2.2.4. Interviews revealed that emails received in the generic mailbox info@airport.by are processed by the secretarial staff in the Airport General Manager’s office during working hours on weekdays. IT Security Officers do not review the content of the emails received on the 150 email addresses (personnel and generic) in service at the airport, unless an alert is triggered by the SearchInform DLP Software, such as the alert in question. The head of the systems administration group of the Cybersecurity Unit stated that he was remotely logged into the server on his computer while on duty at home and discovered in real time the popup alert regarding this email, received on the mailbox info@airport.by. His shift started at 06:00 UTC (09:00 local). The FFIT was informed that the head of the system administration group of the Cybersecurity Unit does not speak English but can understand it.

2.2.5. The bomb threat email indicated it was sent by “Hamas soldiers”. The text refers to the Israeli operation in the Gaza Strip following the outbreak of violence that commenced on 10 May 2021 and demanded a ceasefire and that the European Union abandon its support for Israel in the war. The May 23 flight FR4978 to Vilnius is specifically identified as carrying participants of the 2021 Delphi Economic Forum, as well as a bomb to be detonated over Vilnius if the demands are not met. Media reports indicate that the ceasefire between Israel and Hamas came into effect on 21 May 2021, two days prior to the event. The Delphi Economic Forum took place in Athens from 10 to 15 May 2021. It is reported that at least one of the passengers participated in the Forum.

2.2.6. According to the Deputy General Director for Security, Discipline and Personnel, he was contacted by telephone at 09:27 (12:27 local) by the head of the system administration group of the Cybersecurity Unit and informed about the bomb threat email. Subsequently, the Deputy General Director for Security, Discipline and Personnel passed the information at 09:28 (12:28 local) by telephone to the Minsk Air Traffic Control Centre, as an aircraft was involved. The Deputy General Director for Security, Discipline and Personnel stated that the information he relayed to the Minsk Air Traffic Control Centre was limited to the threat itself, namely that there was an explosive device on board the aircraft on flight FR4978, on the route Athens-Vilnius, which would be detonated over Vilnius.

2.2.7. According to the Department of Aviation of Belarus, the SearchInform DLP Software detected an identical email at 09:56 (12:56 local) in the generic mailbox info@airport.by, as Ryanair Flight FR4978 had already started its descent to Minsk. A screenshot of the email is reproduced in Appendix H.

2.2.8. At about 12:00 (15:00 local) the same day, the head of the system administration group of the Cybersecurity Unit sent a copy of the threat email to the mailbox of the air navigation services provider, Belaeronavigatsia, as instructed by the Head of the Cybersecurity Unit, his immediate supervisor. The statements of the different stakeholders do not indicate that the email had been shared with any other entities before 12:00 UTC (15:00 local).

2.2.9. The Ministry of Transport and Communications of Lithuania informed the FFIT that an email was delivered at 9:25:16 UTC (12:25:16 local) on 23 May 2021 to the generic email address info@ltou.lt of the State Enterprise Lithuanian Airports as shown in the screenshot in Appendix H. This threat email was only discovered the next morning, Monday 24 May 2021, during business hours, and was forwarded to the Lithuanian Police for investigation.

2.2.10. With respect to the account from which the bomb threat email was sent, the Lithuanian authorities provided to ICAO information obtained from the Switzerland authorities, Switzerland being the State where the headquarters of the email service provider are established, through a mutual legal assistance mechanism between both States, showing that:

a) the account was created on 14 May 2021 at 15:32:01 UTC from Internet Protocol (IP) address 193.189.100.195; (Editorial note: This IP address belongs to a Swedish ISP)
b) the account was last accessed on 25 May 2021 at 8:39:42 UTC;
c) the authentication logs for the account were not activated;
d) no physical address or identity information was registered or linked to the account;
e) the account is free, therefore no payment information was recorded;
f) the content of the emails and the mailbox are fully encrypted, thus they cannot be viewed;
g) the contacts, notes and images are also fully encrypted, thus they cannot be viewed; and
h) no instant messaging information was recorded.

2.2.11. The information provided by the Lithuanian authorities also indicated that a total of six emails were sent separately from the account, respectively at 9:25 UTC (12:25 local) to Lithuanian Airports, at 09:26 UTC (12:26 local) to Athens Airport, 09:27 UTC (12:27 local) to Sofia International Airport, 09:28 UTC (12:28 local) to Bucharest International Airport, 09:34 UTC (12:34 local) to Kiev Airport and finally 09:56 UTC (12:56 local) to Minsk International Airport. All six airports are located on or near the planned route of the flight FR4978. Two of the six emails were not delivered, namely to the addresses respectively of Athens and Kiev Airports. Apart from the six emails, no record exists of any other email having been sent from this account.

2.2.12. Four emails were sent separately to Vilnius, Athens, Sofia, and Bucharest airports in a period of less than three minutes, while FR4978 was flying over the airspace of Ukraine and immediately prior to entering the airspace of Belarus. The first of these emails was sent at 09:25:12, about two hours after the take-off from Athens, five minutes before crossing the common L’viv/Minsk FIR boundary into Belarus. The fifth email was sent to Kiev Airport at 09:34:32, 4 minutes and 30 seconds after FR4978 had left the airspace of Ukraine. The last email was sent 22 minutes later, at 09:56:45 (12:56:45 local) to Minsk Airport at which point FR4978 had already initiated its descent to that airport. An illustration of the relative timings is at Appendix H.

2.2.13. Both the Directorate General Civil Aviation Administration (DGCAA) of the Republic of Bulgaria and the Romanian Civil Aeronautical Authority (RCAA) confirmed to the FFIT that bomb threat emails against Flight FR4978 sent from the same email account were received by their respective airports on 23 May 2021.

2.2.14. In the case of Bulgaria, the email was read on 25 May at 09:30 local by the Public Relations and Corporate Communications Department of SOF Connect AD, the operator of Sofia International Airport, which administers the email address: comment@sof-connect.com. The mailbox, used for alerts, complaints, recommendations, comments and questions from the public, is only checked on working days. According to the time stamp on the printout provided by the Bulgaria DGCAA, the email was received on 23 May 2021 at 12:27 local (09:27 UTC).

2.2.15. On 26 May 2021, following an information request from the Polish Civil Aviation Security Directorate, the RCAA requested all civil airports and the air navigation services provider Romatsa to report if any threat regarding flight FR4978 had been received by their services. On 8 June 2021, Bucharest Airports National Company informed RCAA that additional checks related to the flight FR4978 established that on 23 May 2021 at 12:28 local (9:28 UTC) a message sent from the same email account was received at the email address: contact@bucharestairports.ro.

2.2.16. The screenshots of the emails, available at Appendix H, received in Sofia International Airport and Bucharest Airports National Company reveal that the text of the emails is identical to the messages delivered at Vilnius and Minsk airports. The time stamps of these two emails are consistent with the information obtained from Switzerland through the Lithuanian authorities.

2.2.17. The nature and content of the emails respectively sent to Athens and Kyiv Airports have not been confirmed as these were not delivered.
Incident Facts

Date of incident
May 23, 2021

Classification
Incident

Airline
Ryanair Sun

Flight number
FR-4978

Departure
Athens, Greece

Destination
Vilnius, Lithuania

Aircraft Registration
SP-RSM

Aircraft Type
Boeing 737-800

ICAO Type Designator
B738

This article is published under license from Avherald.com. © of text by Avherald.com.
Article source

You can read 2 more free articles without a subscription.

Subscribe now and continue reading without any limits!

Subscribe now
Are you a subscriber? Login
Subscribe

Read unlimited articles and receive our daily update briefing. Gain better insights into what is happening in commercial aviation safety.

Compare our plans

Send tip

Support AeroInside by sending a small tip amount.

Send tip

Related articles

Newest articles

Subscribe today

Are you researching aviation incidents? Get access to AeroInside Insights, unlimited read access and receive the daily newsletter.

Pick your plan and subscribe

Partner

Blockaviation logo

A new way to document and demonstrate airworthiness compliance and aircraft value. Find out more.

ELITE Logo

ELITE Simulation Solutions is a leading global provider of Flight Simulation Training Devices, IFR training software as well as flight controls and related services. Find out more.

Blue Altitude Logo

Your regulation partner, specialists in aviation safety and compliance; providing training, auditing, and consultancy services. Find out more.

AeroInside Blog
Popular aircraft
Airbus A320
Boeing 737-800
Boeing 737-800 MAX
Popular airlines
American Airlines
United
Delta
Air Canada
Lufthansa
British Airways