Brinztech Alert: Alleged Breach of Riyadh Airports (RAC) Critical Control Systems

Dark Web News Analysis

A threat actor has claimed unauthorized access to the internal network of Riyadh Airports Company (RAC), the operator of King Khalid International Airport (RUH). The claim, which surfaced in late November 2025, is substantiated by leaked video footage and screenshots that appear to show a live, web-based “Control Panel” for airport operations.

Brinztech Analysis:

• Credibility Assessment: While currently unverified by official Saudi sources, the leak’s details are highly specific and align with known operational realities. The video reportedly shows Terminals 3 and 4, which were renovated and fully operationalized for international flights (Flynas, Qatar Airways) as of late 2022/2023.
• Targeted System: The interface described—featuring “Turnaround Management,” “Baggage Carousels,” and “3D Terminal Schematics”—closely matches the capabilities of modern Airport Management Platforms (AMP). RAC recently partnered with vendors like ADB SAFEGATE and Masterworks to deploy AI-driven apron and turnaround management systems. The compromised system likely belongs to this class of OT/IT convergence technology.
• Technical Indicators: The leaked IP range (192.168.100.x) suggests the attacker gained access to an internal Local Area Network (LAN), likely via a compromised VPN or remote desktop gateway. Port 5084 is non-standard, likely assigned to a specific web-management interface for the baggage or building management system (BMS).

Key Cybersecurity Insights

This alleged breach represents a critical Cyber-Physical System (CPS) threat, moving beyond data theft to potential operational control.

• Operational Disruption Risk: Access to “Exit Gates” and “Baggage Carousels” is not just an information leak; it is a kinetic threat. An attacker with write-access to these controllers could theoretically halt baggage flows, lock/unlock secure doors, or disrupt passenger processing, causing massive delays.
• Strategic Intelligence Exposure: The “3D Terminal Schematics” and “Tag Reports” provide adversaries with a detailed blueprint of the airport’s security layout and passenger flows. This data is invaluable for physical surveillance or planning kinetic attacks.
• Airline Data Aggregation: The compromise of a central airport platform exposes data from all airlines operating there (Flynas, Qatar Airways, etc.). This highlights the supply chain risk airports pose to airlines; a single airport breach compromises the manifests of dozens of carriers.
• Regional Threat Context: This incident aligns with a surge in hacktivist and ransomware activity targeting Saudi infrastructure in 2025. Groups like “Shadow Cyber Unit” and “Cyber Unity” have previously targeted Saudi government entities, often motivated by regional geopolitical tensions.

Mitigation Strategies

In response to this credible claim, RAC and relevant aviation stakeholders must take immediate action:

• Emergency Network Isolation: Immediately isolate the Operational Technology (OT) network (baggage, gates, BMS) from the corporate IT network and the internet. Kill all external VPN connections until verified.
• Forensic Audit of Port 5084: Specifically investigate traffic on port 5084 and the web server hosting the “Control Panel.” Look for unauthorized logins, web shell uploads, or SQL injection attempts.
• Force Credential Rotation: Invalidate all session tokens and force a password reset for all administrators and supervisors (“Manage Roles” users). Implement hardware-based Multi-Factor Authentication (MFA) for all remote access.
• Physical Security Sweep: Given the leak of schematics and gate controls, physical security teams should verify that no automated systems have been tampered with (e.g., gates stuck open or disabled alarms).

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com