The Qilin ransomware gang has claimed responsibility for a cyberattack on Tulsa International Airport (TUL) in Oklahoma, marking the aviation sector’s first reported ransomware incident of 2026. The Russian-speaking group posted 18 sample documents to its dark web leak site, including financial records, employee identification, and executive communications.
Incident overview
| Attribute | Details |
|---|
| Victim | Tulsa International Airport (TUL) |
| Location | Tulsa, Oklahoma, USA |
| Threat actor | Qilin ransomware gang |
| Discovery date | January 30, 2026 |
| Attack type | Ransomware / Data extortion |
| Operations impact | None reported |
| Passenger security | Not compromised (per airport) |
| Data samples leaked | 18 documents |
Timeline
| Date | Event |
|---|
| Unknown | Initial compromise (suspected weeks prior) |
| January 30, 2026 | Qilin lists Tulsa Airport on leak site |
| January 31, 2026 | Airport confirms cyberattack |
| February 1, 2026 | Sample documents analyzed by researchers |
| Ongoing | Investigation continues |
Data leaked
Executive communications
| Document type | Contents |
|---|
| CFO emails | Contact details, correspondence with banking officials |
| Executive correspondence | High-level financial discussions |
| Banking communications | Relationship details with financial institutions |
Employee data
| Document type | Risk |
|---|
| Employee ID copies | Identity theft, physical access fraud |
| Personnel records | Social engineering enablement |
| Contact information | Targeted phishing |
Financial documents
| Document type | Sensitivity |
|---|
| Yearly budget spreadsheets | Operational insight |
| Revenue spreadsheets | Financial intelligence |
| Vendor revenue sheets | Third-party relationships |
| Insurance files | Coverage details |
Legal and governance
| Document type | Contents |
|---|
| Confidentiality agreements | NDA terms |
| Non-disclosure agreements | Partner relationships |
| Court case files | Legal proceedings |
| Governance minutes | Board decisions |
Operational data
| Document type | Risk |
|---|
| Tenant databases | Business relationships |
| Telehealth reports | Health information |
| Operational records | Internal processes |
Airport response
Tulsa International Airport officials confirmed the attack but provided limited details:
“The attack has not compromised airport operations or passenger security.”
— Airport spokesperson
What the airport has confirmed
| Statement | Status |
|---|
| Cyberattack occurred | Confirmed |
| Operations unaffected | Confirmed |
| Passenger security intact | Confirmed |
| Full breach scope | Not disclosed |
| Ransom demand | Not disclosed |
| Payment status | Not disclosed |
What remains unknown
| Question | Status |
|---|
| Initial access vector | Under investigation |
| Dwell time | Unknown |
| Systems affected | Not disclosed |
| Total data exfiltrated | Unknown |
| Ransom amount demanded | Not disclosed |
Expert analysis
Cybersecurity expert Tyler Moore commented on the attack credibility:
“These gangs… they need to be credible, that is why they post this information, and 99 times out of 100 at least, it is in fact” legitimate. “They will have compromised this data and then they will look for the stuff that is the most likely to get a response from the victim to pay a ransom.”
About Qilin ransomware
Group profile
| Attribute | Details |
|---|
| First observed | July 2022 |
| Language | Golang |
| Model | Ransomware-as-a-Service (RaaS) |
| Tactics | Double extortion |
| Origin | Russian-speaking |
2025-2026 activity
| Metric | Value |
|---|
| 2025 victims | 1,000+ organizations |
| January 2026 victims | ~48 organizations |
| 2026 pace | 55+ victims by mid-January |
| Projected 2026 | On track to exceed 2025 |
Target sectors
| Sector | Notable victims |
|---|
| Healthcare | Covenant Health (478K patients), UK NHS provider |
| Aviation | Tulsa International Airport |
| Government | Multiple municipalities |
| Education | Various institutions |
| Manufacturing | Industrial targets |
Qilin notably does not self-restrict from targeting healthcare, critical infrastructure, or public services—making it one of the more reckless ransomware operations.
Aviation sector context
Critical infrastructure targeting
| Factor | Risk level |
|---|
| Operational disruption potential | High |
| Public safety implications | Significant |
| National security concerns | Present |
| Regulatory scrutiny | Intense |
Previous aviation incidents
| Target | Year | Impact |
|---|
| San Francisco International (attempt) | 2020 | Contained |
| European airports (various) | 2022-2023 | Data theft |
| Tulsa International | 2026 | Data exfiltration confirmed |
The Tulsa attack marks the first confirmed aviation ransomware incident of 2026.
Tulsa International Airport profile
| Attribute | Details |
|---|
| IATA code | TUL |
| Type | Multi-use (civilian and military) |
| Annual passengers | ~3 million |
| Location | Tulsa, Oklahoma |
| Operator | Tulsa Airports Improvement Trust |
The airport’s dual civilian-military role potentially increases the sensitivity of any compromised data.
Potential regulatory implications
FAA and TSA considerations
| Regulation | Potential applicability |
|---|
| TSA cybersecurity directives | Airport systems requirements |
| FAA regulations | Aviation safety systems |
| CISA guidance | Critical infrastructure |
Reporting requirements
| Requirement | Timeline |
|---|
| CISA incident reporting | 72 hours (critical infrastructure) |
| State breach notification | Varies by affected individuals |
| TSA notification | As applicable |
Recommendations
For airport operators
| Priority | Action |
|---|
| Critical | Segment IT from operational technology |
| Critical | Implement offline backup for critical systems |
| High | Deploy EDR across all endpoints |
| High | Restrict internet access for sensitive systems |
| Medium | Conduct tabletop exercises for ransomware |
For affected individuals
| If your data may be exposed | Action |
|---|
| Airport employees | Monitor for identity theft, phishing |
| Vendors/partners | Review communications for fraud |
| Executives | Enhanced vigilance for BEC attacks |
For aviation sector
| Priority | Action |
|---|
| High | Review Qilin TTPs and IOCs |
| High | Audit vendor access and connections |
| Medium | Share threat intelligence via ISACs |
| Ongoing | Monitor leak sites for industry targeting |
Context
The Tulsa International Airport attack demonstrates that no sector is off-limits for ransomware groups like Qilin. While airport officials emphasize that operations and passenger security were not affected, the exfiltration of executive communications, financial documents, and employee data creates significant risks:
- Business email compromise: Attackers can use executive email patterns for future fraud
- Vendor targeting: Leaked relationships enable supply chain attacks
- Employee targeting: ID copies and contact details enable identity theft and phishing
- Competitive intelligence: Financial and operational data valuable to adversaries
The aviation sector should expect continued targeting given the high-value data airports maintain and the pressure critical infrastructure operators face to restore operations quickly.
Qilin’s January 2026 pace—approximately 48 victims in the first month alone—indicates the group’s operations are accelerating, not slowing. Organizations should ensure defenses are prepared for increasingly aggressive ransomware campaigns.
