.webp?w=1600&resize=1600,900&ssl=1 "European Airport Disruptions by Ransomware Attack")
Over the past weekend, Collins Aerospace suffered a significant ransomware attack that compromised its Muse check-in and boarding systems. This breach prompted major hubs, including Heathrow, Brussels, and Berlin airports, to revert to manual operational processes.
Airlines experienced widespread disruptions, with hundreds of flights delayed or canceled as security teams scrambled to contain the breach, restore encrypted data, and deploy necessary software patches.
The Guardian reported that a ransomware payload, likely a variant of the REvil/Sodinokibi family, was deployed against Collins Aerospace’s virtual machines late Friday evening. This sophisticated attack utilized various methods, including a spear-phishing email that delivered a malicious macro to initiate a PowerShell script for downloading the payload from a command-and-control server.
Collins Aerospace Systems Ransomware Attack
After execution, the ransomware employed AES-256 encryption to lock file shares and virtual disks, appending a “.locked” extension to affected files, along with a ransom note demanding payment in Monero.
Initial forensic investigations suggest that attackers exploited a zero-day vulnerability in the Citrix ADC appliance to gain initial access. Subsequently, they escalated privileges through modifications to the Windows Registry and employed Mimikatz for credential harvesting, consistent with tactics outlined in the MITRE ATT&CK framework.
Once inside the network, lateral movement was executed using SMB and RDP protocols, achieving persistence through scheduled tasks and altered Group Policy Objects (GPOs). The European Union Agency for Cybersecurity (ENISA) confirmed that the attack led to file encryption on primary Domain Controllers, subsequently impacting airport kiosks, bag-drop systems, and boarding gates.
While Collins Aerospace is actively developing decryption utilities and hotfixes, airport operators have resorted to manual check-in counters and paper boarding passes, considerably extending passenger processing times—sometimes by up to two hours, as reported by The Guardian.
Despite the disruptions, Heathrow stated that the majority of flights continue to operate, although check-in processes may take longer than usual. On the other hand, Brussels Airport faced significant cancellations, with 40 departing and 23 arriving flights affected on just one day. Dublin Airport has also indicated the possibility of future disruptions, albeit without immediate cancellations.
Notably, Jonathan Hall KC, an independent reviewer for the UK’s terrorism legislation, has hinted at the possibility of a state-sponsored actor using advanced persistent threat (APT) tactics being behind this breach. However, Collins Aerospace has not publicly attributed responsibility for the attack to any specific group. In a statement, RTX, the parent company, assured that efforts were underway to verify system integrity and recommended that customers update to the latest Muse software version (7.4.2).
Passengers are encouraged to check flight statuses online and plan to arrive at the airport no more than three hours before long-haul flights and two hours before short-haul services. In an increasingly challenging cybersecurity landscape, this incident serves as a stark reminder of the risks associated with vulnerabilities in critical operational frameworks.
Stay informed by following us on Google News, LinkedIn, and X for daily updates on cybersecurity. Contact us to feature your stories.
