Collins Aerospace attack claimed by Everest, linking ransomware group to last month's European airport chaos
The Everest ransomware group has claimed responsibility for the September breach of Collins Aerospace and its MUSE check-in software. The attack impacted multiple major airports across Europe and caused travel chaos for days.
-
Everest ransomware group is claiming responsibility for the Collins Aerospace attack tied to last month’s airport disruptions across Europe.
-
The cybercriminals allegedly exfiltrated a 50GB database from the company's servers and set an 8-day ransom deadline, although have provided no proof of the claim.
-
The breach led to days of check-in chaos, impacting thousands of travelers worldwide, highlighting the escalating threats to aviation infrastructure.
Collin Aerospace, a division of Raytheon Technologies Corporation (RTX), was posted on the Everest leak site on Friday, although the entry also dates back to October 14th and 15th.
The Everest ransomware cartel, which also made waves last month with a purported attack on luxury automaker BMW, claims to have exfiltrated a 50+ GB database from one of the world’s leading commercial and military defense companies.
One section of the five-part entry is titled “MUSE-INSECURE: Inside Collins Aerospaces Security Failure,” while another section claims to offer up an “FTP Access List.”
Everest also appears to single out the company’s CEO in its last section – titled “News for CEO” – although it's not clear who the group is referring to, as Collins Aerospace is led by its President Stephen Timm, while Christopher Calio is currently the CEO of parent company RTX.
It is assumed that the group has forwarded the "CEO" the required password to access the tailored message.
Furthermore, a countdown clock, set initially on October 14th, shows just over 24 hours to make an extortion deal with the ransomware group. But it seems Everest reset the countdown clock on Friday, giving Collins Aerospace another eight more days before the allegedly stolen database is made public or sold to the highest bidder.
Cybernews can presume this is due to the company making contact with the ransomware cartel to hear out their payout demands. It can also be noted that, in typical fashion, Everest, unlike many other ransomware operators, does not provide file samples as proof of its handiwork.
European airports suffered days-long disruptions
The incident began on September 19th, when Collins Aerospace – the technology service provider used by a plethora of major airports in Europe to manage check-in and boarding systems – reported a “technical issue” to Aviation authorities.
A spokesperson from RTX, Collins Aerospace’s parent company, released a statement identifying a “cyber-related disruption” in its Arinc cMUSE software at certain airports… and said that the impact was “limited to electronic customer check-in and baggage drop and could be mitigated with manual check-in operations.”
Days into the airport commotion, ENISA, the European Union Agency for Cybersecurity, confirmed that the automated check-in systems had been disrupted by ransomware.
Heathrow, the first airport to experience issues and warn passengers of delays, was quickly followed by airports in Brussels, Berlin, Dublin Airport, and Ireland's second-largest largest Cork Airport.
“Only manual check-in and boarding are possible. This has a large impact on the flight schedule and will, unfortunately, cause delays and cancellations of flights,” Brussels Airport posted on its website at the time.
Collins Aerospace was reported to have told Heathrow that an estimated 1,000 computers had been “corrupted” in the attack, and could only be brought back online in person.
Meantime, the aerospace and defense sector is no stranger to ransomware, mainly due to the treasure trove of sensitive information stored in the victim's network, including proprietary trade secrets, client information, and defense contracts, as well as the potential impact on supply chains.
In August, the Play group claimed US Navy supplier Jamco Aerospace, while in January, the INC Ransom group claimed responsibility for an attack on the DoD defense contractor Stark Aerospace. However, neither company publicly confirmed a breach.
The Boeing Company confirmed operations were impacted after being hit by the LockBit gang in late 2023.
Not to be left out, the aviation sector has also been a boon for ransomware groups over the past year, with attacks targeting German charter operator FAI Aviation Group, Canada’s second-largest airline WestJet, US carriers Hawaiian Airlines and Alaska Airlines, as well as Australia’s Qantas Airlines.
Who is Everest?
According to Cybernews’ dark web monitoring tool, Ransomlooker, Everest has listed 248 victims on its dark blog since 2023, with over 105 victims in the past 12 months, making it one of the most prolific cybercrime cartels.
Although way behind top ransomware gangs such as Qilin, Play, Cl0p, and RansomHub when it comes to numbers, Everest can still demand some impressive bragging rights.
First spotted in 2021, Everest first made headlines after the October 2022 attack on the American telecommunications behemoth AT&T. At the time, the group said it had access to AT&T’s entire corporate network.
Besides the September attack claimed on BMW, recently, Everest claimed responsibility for an attack on Allegis Group, a multi-billion-dollar talent management group, and a spate of attacks targeting the Middle East, including Coca-Cola’s Middle East division, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).
The gang has also targeted US-based Pacific HealthWorks, the North American gourmet cookie shop chain Crumbl, email marketing behemoth Mailchimp, and the US hotel chain Radisson Country Inn and Suites.
The hacker cartel is believed to be connected to the BlackByte ransomware group.
Unlock more exclusive Cybernews content on YouTube.
