Ryanair Sun B738 near Minsk on May 23rd 2021, Greece calls diversion states hijack
Last Update: July 20, 2022 / 12:54:35 GMT/Zulu time
The report concludes (and points out missing information):
5.1. As stated in paragraph 3.1 e) of its Terms of Reference, the FFIT was expected to “identify pieces of information potentially missing and that would be necessary to complete the investigation”. As indicated in paragraph 1.5 above, some specific information, including critical information indicated in the Analysis section of this report as highlighted below, was requested but not made available to the Team. Considering the above, the Team’s conclusions below are based exclusively on the information availed to it as of the time of this report.
5.2. According to the authorities of Belarus, a first email was received at 09:25 UTC (12:25 local) followed by a second email at 09:56:45 UTC (12:56:45 local), both containing identical information about the bomb threat. On the other hand, information obtained from Switzerland through the authorities of Lithuania shows that only the second email was sent to Minsk Airport at 09:56:45 UTC (12:56:45 local). The FFIT was not able to verify that the first email was effectively received at 09:25 UTC (12:25 local) as the authorities of Belarus did not provide logs of the email server airport.by nor the email files containing the threat messages saved in their original format including their metadata, citing their erasure in accordance with their data retention policy. The receipt of the first email is crucial to explain the basis for the communication of the bomb threat by Minsk ACC to the flight crew, which occurred at 09:30:49 UTC (12:30:49 local). In the absence of the first email, it could be presumed that the information about the bomb threat would have been obtained by the authorities of Belarus by other means, which the FFIT could not establish. If the first email was in fact received at Minsk Airport, the diversion of the flight to Minsk Airport could be considered to be a tenable option in view of the circumstances.
5.3. The FFIT could not corroborate the information provided by the authorities of Belarus regarding the transmission by phone of the contents of the threat email from airport personnel to Minsk ACC personnel leading to the notification of the threat to RYR 1TZ. As cellular phone records of the personnel involved documenting the time and duration of the calls and person or entity contacted were not made available, those statements could not be supported by evidence.
5.4. As neither a bomb nor evidence of its existence was found during pre-departure screening in Athens Greece and after various searches of the aircraft in Belarus and Lithuania, it is considered that the bomb threat was deliberately false. Knowingly communicating false information which endangers the safety of an aircraft in flight is an offence under Article 1 (1) (e) of the Montréal Convention.
5.5. Prior to the issuance of the report in January 2022, the FFIT was neither able to meet with, nor interview the Minsk ACC controller who was assigned to the RYR 1TZ flight. The authorities of Belarus informed the Team that this individual did not report for duty after his summer leave and that they had no information on his whereabouts and no way to contact him. Subsequently, with the assistance of the authorities of the United States, the FFIT gained access to interview the controller whose testimony materially contradicts the information and materials provided by the authorities of Belarus about the events of 23 May 2021 including with regard to the email as the origin of the bomb threat information, and reflects the involvement of an unidentified individual who had been given access to the Minsk ACC.
5.6. The authorities of Belarus did not provide the FFIT information demonstrating that attempts were made to contact the Operator (RYR or RYS) for the purposes of meeting the obligations contained in Annex 11, 2.24.3 and Belarus ATM Aviation Regulations, 15.12.9. to exchange information with the operator or its designated representative.
5.7. Communications were not established between the flight crew and the OCC during the flight when such communications would have been necessary in line with the operator's procedures. Had such communications between the flight crew and the OCC been established it would have impacted the course of events.
5.8. Video recordings from cameras located adjacent to aircraft parking stand 1 and inside the terminal which could have shown certain significant activities regarding the processing of passengers from the point of disembarkation and in the terminal building were not provided to the FFIT. Although short extracts of the said video recordings had been used in a documentary type video that was shared with the Team, the authorities of Belarus explained that not all recordings were available due to the length of time that had elapsed since the event. The FFIT was not provided with a satisfactory rationale to explain why records had not been preserved considering that criminal and other investigations in respect of the event had been initiated by the authorities of Belarus and had not been completed.
5.9. Inter flight-crew coordination conversations that led to their decision to divert to Minsk Airport could not be fully confirmed since the CVR circuit breaker was not pulled after landing in Minsk. As a result, the full flight-crew conversations, prior to the period when the aircraft was on short final to Minsk Airport, were not preserved.
5.10. From the evidence provided by Belarus, no escort or intercept occurred between the MIG-29 and RYR 1TZ and no communications by the MIG-29 was recorded on the radio channels used by RYR 1TZ. According to information provided by the flight crew and cabin crew, there was no communication, interaction, visual sighting or other knowledge of military aircraft involvement with the flight.
5.11. Some of the States connected to the event have issued formal requests to other States for information and assistance in connection with criminal and other investigations into the event. Such investigations could assist in establishing any missing facts relating to the event. In this regard, States and entities that have received such formal requests should be encouraged to respond as appropriate.
With respect to the receipt of the e-mail containing the bomb threat the ICAO writes:
2.2.1. According to the Department of Aviation of Belarus, on the 23 May 2021 at 09:25:16 (12:25:16 local) an email was received in the generic mailbox firstname.lastname@example.org, a screenshot of which is reproduced in Appendix H.
2.2.2. The email contained the following text: “We, Hamas soldiers, demand that Israel cease fire in the Gaza Strip. We demand that the European Union abandon its support for Israel in this war. We know that the participants of Delphi Economic Forum are returning home on May 23 via flight FR4978. A bomb was planted onto this aircraft. If you don’t meet our demands the bomb will explode on May 23 over Vilnius. Allahu Akbar.”
2.2.3. The SearchInform Data Loss Prevention (DLP) Software used at Minsk Airport detected and flagged the email as containing text communicating a potential threat to civil aviation. The automated detection is based on a pre-established list of keywords in several languages, including English, and triggers alerts on the computers of the Cybersecurity and Information Technology Division, in charge of the administration and oversight of the IT network of the Minsk Airport. The threat email written in English included words which are in the pre-established list of keywords.
2.2.4. Interviews revealed that emails received in the generic mailbox email@example.com are processed by the secretarial staff in the Airport General Manager’s office during working hours on weekdays. IT Security Officers do not review the content of the emails received on the 150 email addresses (personnel and generic) in service at the airport, unless an alert is triggered by the SearchInform DLP Software, such as the alert in question. The head of the systems administration group of the Cybersecurity Unit stated that he was remotely logged into the server on his computer while on duty at home and discovered in real time the popup alert regarding this email, received on the mailbox firstname.lastname@example.org. His shift started at 06:00 UTC (09:00 local). The FFIT was informed that the head of the system administration group of the Cybersecurity Unit does not speak English but can understand it.
2.2.5. The bomb threat email indicated it was sent by “Hamas soldiers”. The text refers to the Israeli operation in the Gaza Strip following the outbreak of violence that commenced on 10 May 2021 and demanded a ceasefire and that the European Union abandon its support for Israel in the war. The May 23 flight FR4978 to Vilnius is specifically identified as carrying participants of the 2021 Delphi Economic Forum, as well as a bomb to be detonated over Vilnius if the demands are not met. Media reports indicate that the ceasefire between Israel and Hamas came into effect on 21 May 2021, two days prior to the event. The Delphi Economic Forum took place in Athens from 10 to 15 May 2021. It is reported that at least one of the passengers participated in the Forum.
2.2.6. According to the Deputy General Director for Security, Discipline and Personnel, he was contacted by telephone at 09:27 (12:27 local) by the head of the system administration group of the Cybersecurity Unit and informed about the bomb threat email. Subsequently, the Deputy General Director for Security, Discipline and Personnel passed the information at 09:28 (12:28 local) by telephone to the Minsk Air Traffic Control Centre, as an aircraft was involved. The Deputy General Director for Security, Discipline and Personnel stated that the information he relayed to the Minsk Air Traffic Control Centre was limited to the threat itself, namely that there was an explosive device on board the aircraft on flight FR4978, on the route Athens-Vilnius, which would be detonated over Vilnius.
2.2.7. According to the Department of Aviation of Belarus, the SearchInform DLP Software detected an identical email at 09:56 (12:56 local) in the generic mailbox email@example.com, as Ryanair Flight FR4978 had already started its descent to Minsk. A screenshot of the email is reproduced in Appendix H.
2.2.8. At about 12:00 (15:00 local) the same day, the head of the system administration group of the Cybersecurity Unit sent a copy of the threat email to the mailbox of the air navigation services provider, Belaeronavigatsia, as instructed by the Head of the Cybersecurity Unit, his immediate supervisor. The statements of the different stakeholders do not indicate that the email had been shared with any other entities before 12:00 UTC (15:00 local).
2.2.9. The Ministry of Transport and Communications of Lithuania informed the FFIT that an email was delivered at 9:25:16 UTC (12:25:16 local) on 23 May 2021 to the generic email address firstname.lastname@example.org of the State Enterprise Lithuanian Airports as shown in the screenshot in Appendix H. This threat email was only discovered the next morning, Monday 24 May 2021, during business hours, and was forwarded to the Lithuanian Police for investigation.
2.2.10. With respect to the account from which the bomb threat email was sent, the Lithuanian authorities provided to ICAO information obtained from the Switzerland authorities, Switzerland being the State where the headquarters of the email service provider are established, through a mutual legal assistance mechanism between both States, showing that:
a) the account was created on 14 May 2021 at 15:32:01 UTC from Internet Protocol (IP) address 220.127.116.11; (Editorial note: This IP address belongs to a Swedish ISP)
b) the account was last accessed on 25 May 2021 at 8:39:42 UTC;
c) the authentication logs for the account were not activated;
d) no physical address or identity information was registered or linked to the account;
e) the account is free, therefore no payment information was recorded;
f) the content of the emails and the mailbox are fully encrypted, thus they cannot be viewed;
g) the contacts, notes and images are also fully encrypted, thus they cannot be viewed; and
h) no instant messaging information was recorded.
2.2.11. The information provided by the Lithuanian authorities also indicated that a total of six emails were sent separately from the account, respectively at 9:25 UTC (12:25 local) to Lithuanian Airports, at 09:26 UTC (12:26 local) to Athens Airport, 09:27 UTC (12:27 local) to Sofia International Airport, 09:28 UTC (12:28 local) to Bucharest International Airport, 09:34 UTC (12:34 local) to Kiev Airport and finally 09:56 UTC (12:56 local) to Minsk International Airport. All six airports are located on or near the planned route of the flight FR4978. Two of the six emails were not delivered, namely to the addresses respectively of Athens and Kiev Airports. Apart from the six emails, no record exists of any other email having been sent from this account.
2.2.12. Four emails were sent separately to Vilnius, Athens, Sofia, and Bucharest airports in a period of less than three minutes, while FR4978 was flying over the airspace of Ukraine and immediately prior to entering the airspace of Belarus. The first of these emails was sent at 09:25:12, about two hours after the take-off from Athens, five minutes before crossing the common L’viv/Minsk FIR boundary into Belarus. The fifth email was sent to Kiev Airport at 09:34:32, 4 minutes and 30 seconds after FR4978 had left the airspace of Ukraine. The last email was sent 22 minutes later, at 09:56:45 (12:56:45 local) to Minsk Airport at which point FR4978 had already initiated its descent to that airport. An illustration of the relative timings is at Appendix H.
2.2.13. Both the Directorate General Civil Aviation Administration (DGCAA) of the Republic of Bulgaria and the Romanian Civil Aeronautical Authority (RCAA) confirmed to the FFIT that bomb threat emails against Flight FR4978 sent from the same email account were received by their respective airports on 23 May 2021.
2.2.14. In the case of Bulgaria, the email was read on 25 May at 09:30 local by the Public Relations and Corporate Communications Department of SOF Connect AD, the operator of Sofia International Airport, which administers the email address: email@example.com. The mailbox, used for alerts, complaints, recommendations, comments and questions from the public, is only checked on working days. According to the time stamp on the printout provided by the Bulgaria DGCAA, the email was received on 23 May 2021 at 12:27 local (09:27 UTC).
2.2.15. On 26 May 2021, following an information request from the Polish Civil Aviation Security Directorate, the RCAA requested all civil airports and the air navigation services provider Romatsa to report if any threat regarding flight FR4978 had been received by their services. On 8 June 2021, Bucharest Airports National Company informed RCAA that additional checks related to the flight FR4978 established that on 23 May 2021 at 12:28 local (9:28 UTC) a message sent from the same email account was received at the email address: firstname.lastname@example.org.
2.2.16. The screenshots of the emails, available at Appendix H, received in Sofia International Airport and Bucharest Airports National Company reveal that the text of the emails is identical to the messages delivered at Vilnius and Minsk airports. The time stamps of these two emails are consistent with the information obtained from Switzerland through the Lithuanian authorities.
2.2.17. The nature and content of the emails respectively sent to Athens and Kyiv Airports have not been confirmed as these were not delivered.
This article is published under license from Avherald.com. © of text by Avherald.com.
Read unlimited articles and receive our daily update briefing. Gain better insights into what is happening in commercial aviation safety.
Support AeroInside by sending a small tip amount.
A Ryanair Sun Boeing 737-8 MAX, registration SP-RZE performing flight FR-2778 from Thessaloniki (Greece) to Krakow (Poland), was climbing out of…
A Ryanair Sun Boeing 737-800, registration SP-RSB performing flight FR-6869 from Cologne (Germany) to Katowice (Poland), had landed on Katowice's…
A Ryanair Sun Boeing 737-800, registration SP-RKK performing flight RR-5351/FR-5351 from Katowice (Poland) to Antalya (Turkey), was enroute at FL350…
A Ryanair Sun Boeing 737-800, registration SP-RSA performing flight FR-6864 from Krakow (Poland) to Palermo (Italy), was climbing out of Krakow's…
A United Boeing 777-200, registration N779UA performing flight UA-1888 from Chicago O'Hare,IL to Las Vegas,NV (USA) with 326 people on board, was…
Fedex B763 and Southwest B737 at Austin on Feb 4th 2023, loss of separation on runway resolved by go around
A Fedex Federal Express Boeing 767-300, registration N297FE performing flight FX-1432 from Memphis,TN to Austin,TX (USA), was on final for a CATIII…
Are you researching aviation incidents? Get access to AeroInside Insights, unlimited read access and receive the daily newsletter.Pick your plan and subscribe
A new way to document and demonstrate airworthiness compliance and aircraft value. Find out more.
ELITE Simulation Solutions is a leading global provider of Flight Simulation Training Devices, IFR training software as well as flight controls and related services. Find out more.
Never miss an article from AeroInside. Subscribe to our free weekly newsletter and join 5604 existing subscribers.
Popular aircraftAirbus A320
Boeing 737-800 MAX
Popular airlinesAmerican Airlines