Over the weekend, a sophisticated ransomware attack targeted Collins Aerospace’s Muse check-in and boarding systems, leading to significant disruptions at major European airports, including Heathrow, Brussels, and Berlin. The cyberattack forced these airports to revert to manual processing methods, resulting in hundreds of flight delays and cancellations.
Airlines reported extensive operational challenges as security teams worked diligently to contain the breach, restore encrypted data, and implement necessary software patches. The Guardian reported that on Friday evening, threat actors deployed a ransomware payload, believed to be a variant of the REvil/Sodinokibi family, against Collins Aerospace’s virtual machines within its cloud-hosted environment.
Details of the Collins Aerospace Systems Ransomware Attack
The attack commenced with a spear-phishing email containing a malicious macro. When executed, this macro ran a PowerShell script that downloaded the ransomware payload from a command-and-control (C2) server. Once activated, the ransomware utilized AES-256 encryption to lock file shares and virtual disks, appending the extension .locked to affected files and leaving a ransom note demanding payment in Monero cryptocurrency.
Initial forensic investigations suggest that the attackers exploited a zero-day vulnerability in the Citrix ADC appliance to gain initial access. They then escalated privileges through modifications to the Windows Registry and deployed Mimikatz, a tool used for credential harvesting. The attackers moved laterally across the network using SMB and RDP protocols, establishing persistence via scheduled tasks and altered Group Policy Objects (GPOs).
The European Union Agency for Cybersecurity (ENISA) confirmed that Collins Aerospace experienced file encryption on its primary Domain Controllers. This encryption propagated the impact to airport kiosks, bag-drop systems, and boarding gates, severely affecting airport operations.
Impact on Airport Operations
As Collins Aerospace works on developing decryptor utilities and hotfixes, airport operators have implemented manual check-in counters and paper boarding passes. This shift has extended passenger processing times by up to two hours. Heathrow Airport reported that the vast majority of flights are operating as normal, although check-in may take longer than usual. Brussels Airport canceled 40 departing and 23 arriving flights on Monday alone, while Dublin Airport warned of potential future disruptions despite no immediate cancellations.
Potential Attribution and Response
Jonathan Hall KC, the UK government’s independent reviewer of terrorism legislation, suggested that a state-sponsored actor employing advanced persistent threat (APT) tactics could be behind the breach. However, Collins Aerospace has not publicly attributed the attack to any specific group. In a statement released on Monday, RTX, the parent company of Collins Aerospace, affirmed that system integrity is being verified and urged customers to apply the latest Muse software update (version 7.4.2).
Advice for Passengers
Passengers are advised to verify their flight status online and to arrive at the airport no more than three hours before long-haul departures and two hours before short-haul services to accommodate the extended processing times.
