iscover
Weeks after airports in the UK and Europe were forced to resort to manual pen-and-paper processes to manage boarding and check-ins following a disruptive cyber attack, a well-known ransomware actor has claimed to be behind the incident.
The Everest ransomware gang claimed responsibility for the cyber attack in a 17 October listing on its darknet leak site, and said it was planning to release several tranches of data allegedly stolen during the incident.
This content is available exclusively to Australian Aviation members.
A monthly membership is only $5.99 or save with our annual plans.
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Unlimited access to all Australian Aviation digital content
- Access to the Australian Aviation app
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Access to our Behind the Lens photo galleries and other exclusive content
- Daily news updates via our email bulletin
- Unlimited access to all Australian Aviation digital content
- Access to the Australian Aviation app
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Access to our Behind the Lens photo galleries and other exclusive content
- Daily news updates via our email bulletin
One drop of data – to be under the heading “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure” – would be released within 48 hours of publication, the hackers said, alongside another dataset that they claim is an “FTP Access List”.
Everest is planning another drop of data within eight days of what it said is a “Collins Aerospace DataBase Download”. The leak post also has another section titled “News for CEO”, though this is hidden behind a password, one which the threat actor has presumably supplied to RTX and/or Collins Aerospace.
The ransomware actor has not listed any ransom demand.
At the time of the initial attack, which took place on the evening of 19 September, RTX – the owner of Collins Aerospace – said it was aware of a “cyber-related disruption” affecting the company’s software at several European airports, with Heathrow Airport, Dublin Airport, Berlin Airport, and Brussels Airport all reporting some level of disruption.
Days later, airports were still attempting to recover from the disruption, warning passengers of delays and cancellations.
“Work continues to resolve and recover from an outage of a Collins Aerospace airline system that impacted check-in,” Heathrow Airport said in a 22 September passenger notice on its website.
“We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate.”
While the airports have now recovered from that initial disruption, it remains to be seen what impact, if any, any further releases of data may have.
Nigel Phair, professor of practice at Monash University’s department of software systems and cyber security, said at the time that Australian airports should take note.
“The flight delays arising from the outage at Heathrow and other European airports for the electronic check-in and baggage drop show how technically interconnected flying is,” Phair said.
“It highlights the importance of third-party systems connecting airlines, airports and the IT integrators that keep operations running.
“While this hasn’t yet impacted any Australian airports, it demonstrates the need for Australian airlines to redouble their cyber security controls, especially after the recent Qantas data breach.”
The Everest ransomware group is a Russian-linked operation that was first observed in 2020. While it began as a data-theft-only extortion operation, it soon migrated to ransomware and encryption. It has claimed a total of 267 victims, including several high-profile international companies such as recent victims Mailchimp and BMW.
Collins Aerospace is one of three companies owned by RTX, alongside defence contractors Pratt & Whitney and Raytheon.
Australian Aviation’s sister brand, Cyber Daily, has reached out to RTX for comment on the hackers’ claims.
