Weeks after airports in the UK and Europe were forced to resort to manual pen-and-paper processes to manage boarding and check-in following a disruptive cyberattack, a well-known ransomware actor claimed to be behind the incident.
The Everest ransomware gang claimed responsibility for the cyberattack in an Oct. 17 listing on its darknet breach site and said it planned to release several tranches of data allegedly stolen during the incident.
One drop of data, which will be under the title “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure,” will be published within 48 hours of publication, the hackers said, along with another set of data they claim is an “FTP Access List.”
Everest is planning another data delivery within eight days following what it said is a “download of the Collins Aerospace database.” The leaked post also has another section titled “CEO News,” although it is hidden behind a password, one that the threat actor presumably provided to RTX and/or Collins Aerospace.
The ransomware actor has not included any ransom demand.
At the time of the initial attack, which took place on the afternoon of September 19, RTX – the owner of Collins Aerospace – said it was aware of a “cyber-related outage” affecting the company’s software at several European airports, with Heathrow Airport, Dublin Airport, Berlin Airport and Brussels Airport reporting some level of outage.
Days later, airports were still trying to recover from the disruption, warning passengers of delays and cancellations.
“Work continues to resolve and recover from a Collins Aerospace airline system outage that affected check-in,” Heathrow Airport said in a Sept. 22 notice to passengers on its website.
“We apologize to those who experienced delays, but by working together with the airlines, the vast majority of flights continued to operate.”
While airports have now recovered from that initial disruption, it remains to be seen what impact, if any, any additional data releases may have.
Nigel Phair, professor of practice in Monash University’s cyber security and software systems department, said at the time that Australian airports should take note.
“Flight delays resulting from the disruption of electronic check-in and baggage drop at Heathrow and other European airports show how technically interconnected flights are,” Phair said.
“It highlights the importance of third-party systems that connect airlines, airports and the IT integrators that keep operations running.
“While this has not yet affected any Australian airports, it demonstrates the need for Australian airlines to step up their cybersecurity controls, especially after the recent Qantas data breach.”
The Everest ransomware group is a Russia-linked operation that was first observed in 2020. While it started as an extortion operation based solely on data theft, it soon migrated to ransomware and encryption. It has claimed a total of 267 victims, including several high-profile international companies as recent victims. mailchimp and bmw.
Collins Aerospace is one of three companies owned by RTX, along with defense contractors Pratt & Whitney and Raytheon.
Australian Aviation’s sister brand Cyber Daily reached out to RTX for comment on the hackers’ claims.
