Created Tuesday, Jan 18th 2022 20:59Z, last updated Tuesday, Jan 18th 2022 20:59Z
On Jan 18th 2022 ICAO released their fact finding report to its member states, however, the report was not published. The Aviation Herald was able to obtain a copy and produces a short summary:
When FR-4978 was enroute in Ukrainian Airspace about 5 minutes before crossing into Belarus Airspace, e-mails were received by Minsk Airport at 09:25Z (?, see analysis below!) with the text: "We, Hamas soldiers, demand that Israel cease fire in the Gaza Strip. We demand that the European Union abandon its support for Israel in this war. We know that the participants of Delphi Economic Forum are returning home on May 23 via flight FR4978. A bomb was planted onto this aircraft. If you don’t meet our demands the bomb will explode on May 23 over Vilnius. Allahu Akbar.", however, the report does not show or quote the entire header of the mail. Seconds later an e-mail with the same text was received by the Airport operator of Lithuania. A minute later Athens Airport and another minute later Sofia Airport received mails with the same text. Lithuanian Authorities obtained details about the sending account from Switzerland, which identified a total of 6 mails were sent from that account however two were not delivered (no other activity from creation of the account on May 14th 2021 until it was no longer accessed after May 25th 2021, no personal data were provided, no payment was needed or done, the registering IP address was noted).
After receiving the mail Belarus Authorities reacted, the information was handed up the chain until Minsk Airtraffic Control Center was informed at 09:28Z.
Minsk instructed Lviv ATC to hand Ryanair over to them at frequency 120.575 (a frequency which is only used for radio performance tests, the reason for this request was not determined). After the aircraft contacted Minsk the controller identified the aircraft and stated to the aircraft: "... we have information from special services that you have bomb on board. The bomb can be activated over Vilnius." and added: "... for security reasons, we recommend you land at Uniform Mike Mike Sierra".
The report states:
RYR 1TZ requests clarification on where the bomb threat message came from. The controller advised RYR 1TZ that “airport security staff... informed they received email” and when further queried by the flight crew whether this was Vilnius airport security staff or from Greece, the controller responds with “...this email was shared to …several airports”.
It could not be established how the controller knew that emails had been shared with several airports.
The crew requests to contact their operations via radio frequency. The crew had already attempted to contact their operations provider to Vilnius airport to no avail. 5 Minutes later the crew queries whether there is any information from their operations. The controller asks the crew to standby, he's still waiting for information.
The crew queries where the recommendation to divert to Minsk came from, the controller responded it was their recommendation.
The crew requested the code of the threat, the controller states: "they advise the code was red", in response the crew decided to hold at the present position, which was approved by the controller.
15 minutes after being informed of the threat by Minsk ATC at 09:57Z the crew decided to divert to Minsk, declared emergency and selected their transponder to emergency code.
The report states:
In the period between 10:01 and 12:17 there were at least 12 calls made by the RYS and RYR OCCs trying to establish communication with the authorities in Minsk to get more detailed information on the security threat that led to RYR 1TZ diverting to the Minsk Airport. For example, a copy of the threat email was requested on numerous calls and it was not provided.
At 10:04 the crew queries again whether their company has been informed, the controller responds: "we will try to pass information to your company during 5 minutes".
The report states further:
10:10 According to Litcargus Ramp Shift Leader, Litcargus (the ground handling service provider at Vilnius Airport) tries to contact Minsk ATC by telephone (3 attempts until 10:13).
The report continues:
10:17:51 After being instructed to follow the “Follow Me” vehicle, RYR 1TZ requests confirmation that Ryanair Operations has been informed about the incident. The Ground controller responds, “Yes, affirmative”, at which point RYR 1TZ asks “Did you have a message from them to us? The controller replies that they “did still not have additional message”.
There is no evidence that RYR was informed about the event or either of the emergency phases, at this time.
10:25 Litcargus Ramp shift Leader contacts Minsk Airport dispatch service by telephone, however, no information could be made available.
10:26:24 RYR 1TZ requests again from the Ground controller if any message has been received from its company. Minsk Ground Control advises that they had not.
10:29:18 RYR 1TZ again raises the issue of communications with the company, and the Ground controller responds with “If you ask me about your company representative, I don’t have any information about him.”
The report states describing events in the cabin:
The PIC made a Passengers Announcement (PA) informing the passengers of a diversion to Minsk due to security issues. As the crew was preparing the cabin for landing, immediately after the PA, one of the passengers, stood up and shouted to one of the cabin crew that he could not land in Minsk as “I'm wanted there, they'll kill me”. The CSS, informed about the incident by the cabin crew, attempted to reassure the panic-stricken passenger. The CSS then reported the situation to the flight deck; it was about 10 minutes before landing. There is a convergence in the statements of the crew that the passenger was not considered unruly or disruptive.
A MIG-29 was dispatched however was still 55km away from the Ryanair Aircraft when the Boeing landed. The MIG aborted the mission and returned to base.
Hold and carry on luggage of both crew and passengers were screened at the airport, the aircraft was refueled and the passenger re-embarked. The report annotates:
Once boarding of passengers was completed, cabin crew conduct a headcount of passengers and establish that five passengers are missing. No explanation was provided to the Ryanair crew by the Minsk Airport ground staff.
The report analyses:
The bomb threat emails were received by four airports. Information obtained from Switzerland through the Lithuanian authorities shows that only one email was sent to Minsk Airport (info@airport.by) at 09:56:45 (12:56:45 local). Although Belarus showed the FFIT a copy of an email received at 09:25 UTC (12:25 local) in the Minsk Airport (info@airport.by) mailbox, the information obtained from Switzerland through the Lithuanian authorities did not show that such an email had been sent to the Minsk Airport (info@airport.by) mailbox.
The FFIT was not provided with saved electronic copies of the emails received at info@airport.by in their original format, as, according to the Department of Cybersecurity and Information Technology of Minsk National Airport, messages on the said email address are only stored for seven days, after which they are automatically overwritten. The FFIT was provided an image (screenshot) of an email, thus the metadata was not reviewable.
The report further analyses amongst other:
- in the contexts of the totality of the information available in the bomb threat email and the need to attend to the anticipated needs of the aircraft, including the provision of relevant details, information provided to the flight crew was incomplete, of varying degrees of clarity and only volunteered over an extended period of transmissions and numerous pilot inquiries. That the bomb threat had been communicated via email was only provided subsequent to the recommendation for diversion to Minsk Airport. Pertinent information included in the bomb threat email was not passed on to the flight crew such as that specific reference to the flight number FR4978 had been made, the time of receipt of the message, the identified organization/sender, and the reasons for placement of a bomb on board that specific flight. This, together with the use of phrases lacking in specificity, such as “security services” and “security reasons” added to the challenge brought upon the flight crew to determine the appropriate course of action in an efficient and effective manner;
- the flight crew was informed that the bomb threat message was received via email, however, the relative times of email arrival and its discovery were not provided to the crew;
- while the rationale for recommending diversion to Minsk Airport was exclusively stated to be “security reasons”, the reasons were not volunteered nor was the specific entity who had made this recommendation identified. The flight crew was not informed that the bomb threat was assessed as credible nor the basis for this assessment; and according to interviews during the investigation, that the assessment was made singularly by the Minsk ACC Duty Supervisor, after consultation with senior air traffic control staff only, and that no external consultation had been carried out;
- both the flight crew and subsequently Vilnius ACC were advised by Minsk ACC that the bomb threat email was sent to several airports. The fact that emails were sent to different airports was found to be correct. However, the FFIT could not establish how the information about the sharing of the email with other airports came to the knowledge of the area surveillance controller or Minsk ACC Duty Supervisor;
- although at several times, the flight crew requested information from various controllers on whether the company had been informed of the situation and if any message had been received from them, only limited information was provided to the flight crew on efforts and progress to contact the company. At 10:17 UTC, in response to another request of the flight crew to the ground controller for confirmation that the company had been informed about the incident, the controller responded, “Yes, affirmative”. There was no confirmation availed to the FFIT that the company had been informed of the event by the Belarus authorities. RYR provided the transcripts of calls made by the RYS and RYR OCCs in the period between 10:01 UTC and 12:17 UTC trying to establish communication with the authorities in Minsk to get more detailed information on the security threat that led to RYR 1TZ diverting to Minsk Airport. A copy of the threat email was requested on numerous calls and it was not provided;
The report states the Ryanair crew remained within their standard operating procedures and requirements at all times.
The CVR recordings of the incident flight were lost as continuation of the flight with the circuit breaker pulled was prohibited and the CVR had not been secured/read out at Minsk.
The report states:
When an occurrence of unlawful interference with an aircraft takes place or is suspected, ATS units shall, in accordance with locally agreed procedures, immediately inform the appropriate authority designated by the State and exchange necessary information with the operator or its designated representative (Annex 11, 2.24.3). In this context, and in accordance with Annex 12, 4.1.1, each RCC shall have readily available at all times, up-to-date information concerning addresses and telephone numbers of all operators, or their designated representatives, engaged in operations in its search and rescue region.
- Belarus ATM Aviation Regulations require that the operator or the operator’s authorized representative, be informed by the air traffic control authority upon receiving information from other sources about the threat of an explosive device being placed on board an aircraft.
- No evidence was provided by the Minsk ACC or Belarus RCC of any attempt to contact the Operator. The flight plan contained a telephone number for direct contact with the RYR OCC, albeit its inclusion was not based on any ICAO provision. However, there is evidence in telephone recordings and transcripts that the RYR OCC tried, on multiple occasions, to get information on the diverted aircraft to no avail until hours after the aircraft landed at Minsk Airport.
The report states: "As neither a bomb nor evidence of its existence was found during pre-departure screening in Athens, Greece and after various searches of the aircraft in Belarus and Lithuania it is considered that the bomb threat was deliberately false."
The report concludes (quoted in its entirety):
5.1. As stated in paragraph 3.1 e) of its Terms of Reference, the FFIT was expected to “identify pieces of information potentially missing and that would be necessary to complete the investigation”. As indicated in paragraph 1.5 above, some specific information, including critical information indicated in the Analysis section of this report as highlighted below, was requested but not made available to the Team. Considering the above, the Team’s conclusions below are based exclusively on the information availed to it as of the time of this report.
5.2. According to the authorities of Belarus, a first email was received at 09:25 UTC (12:25 local) followed by a second email at 09:56:45 UTC (12:56:45 local), both containing identical information about the bomb threat. On the other hand, information obtained from Switzerland through the authorities of Lithuania shows that only the second email was sent to Minsk Airport at 09:56:45 UTC (12:56:45 local). The FFIT was not able to verify that the first email was effectively received at 09:25 UTC (12:25 local) as the authorities of Belarus did not provide logs of the email server airport.by nor the email files containing the threat messages saved in their original format including their metadata, citing their erasure in accordance with their data retention policy. The receipt of the first email is crucial to explain the basis for the communication of the bomb threat by Minsk ACC to the flight crew, which occurred at 09:30:49 UTC (12:30:49 local). In the absence of the first email, it could be presumed that the information about the bomb threat would have been obtained by the authorities of Belarus by other means, which the FFIT could not establish. If the first email was in fact received at Minsk Airport, the diversion of the flight to Minsk Airport could be considered to be a tenable option in view of the circumstances.
5.3. The FFIT could not corroborate the information provided by the authorities of Belarus regarding the transmission by phone of the contents of the threat email from airport personnel to Minsk ACC personnel leading to the notification of the threat to RYR 1TZ. As cellular phone records of the personnel involved documenting the time and duration of the calls and person or entity contacted were not made available, those statements could not be supported by evidence.
5.4. As neither a bomb nor evidence of its existence was found during pre-departure screening in Athens Greece and after various searches of the aircraft in Belarus and Lithuania, it is considered that the bomb threat was deliberately false. Knowingly communicating false information which endangers the safety of an aircraft in flight is an offence under Article 1 (1) (e) of the Montréal Convention. The Team was unable to attribute the commission of this act of unlawful interference to any individual or State.
5.5. The FFIT was neither able to meet with, nor interview the Minsk ACC controller who was assigned to the RYR 1TZ flight. The authorities of Belarus informed the Team that this individual did not report for duty after his summer leave and that they had no information on his whereabouts and no way to contact him.
5.6. The authorities of Belarus did not provide the FFIT information demonstrating that attempts were made to contact the Operator (RYR or RYS) for the purposes of meeting the obligations contained in Annex 11, 2.24.3 and Belarus ATM Aviation Regulations, 15.12.9. to exchange information with the operator or its designated representative.
5.7. Communications could not be established between the flight crew and the OCC during the flight when such communications would have been necessary in line with the operator's procedures. Had such communications between the flight crew and the OCC been established it would have impacted the course of events.
5.8. Video recordings from cameras located adjacent to aircraft parking stand 1 and inside the terminal which could have shown certain significant activities regarding the processing of passengers from the point of disembarkation and in the terminal building were not provided to the FFIT. Although short extracts of the said video recordings had been used in a documentary type video that was shared with the Team, the authorities of Belarus explained that not all recordings were available due to the length of time that had elapsed since the event. The FFIT was not provided with a satisfactory rationale to explain why records had not been preserved considering that criminal and other investigations in respect of the event had been initiated by the authorities of Belarus and had not been completed.
5.9. Inter flight-crew coordination conversations that led to their decision to divert to Minsk Airport could not be fully confirmed since the CVR circuit breaker was not pulled after landing in Minsk. As a result, the full flight-crew conversations, prior to the period when the aircraft was on short final to Minsk Airport, were not preserved.
5.10. From the evidence provided by Belarus, no escort or intercept occurred between the MIG-29 and RYR 1TZ and no communications by the MIG-29 was recorded on the radio channels used by RYR 1TZ. According to information provided by the flight crew and cabin crew, there was no communication, interaction, visual sighting or other knowledge of military aircraft involvement with the flight.
5.11. Some of the States connected to the event have issued formal requests to other States for information and assistance in connection with criminal and other investigations into the event. Such investigations could assist in establishing any missing facts relating to the event. In this regard, States and entities that have received such formal requests should be encouraged to respond as appropriate.
