Ransomware Attack Disrupts Major Airports Linked to Collins Aerospace
Understanding the Incident
Recently, a significant cybersecurity incident involving Collins Aerospace—a leading supplier in aerospace and defense solutions—has caused disruptions at major airports across Europe. According to the EU cybersecurity agency ENISA, this disruption stems from a ransomware attack that targeted the services provided by the US-based company, which is now part of RTX (formerly Raytheon).
The Impact on Airports
Collins Aerospace provides essential technology that supports various airport operations, including passenger check-ins and the printing of boarding passes and luggage tags. Following the cyberattack, several airports, including Heathrow, Berlin Brandenburg, and Brussels Airport, were significantly affected, leading to the necessity for manual check-in processes. This shift disrupted normal operations, causing delays and, in some cases, flight cancellations.
Reportedly, Brussels Airport faced the most substantial impact, with airlines canceling nearly 140 flights in response to the incident. While Heathrow managed to maintain operations for most of its flights, the effects of the cyber incident were keenly felt across the aviation sector.
Investigation and Response
ENISA confirmed that law enforcement agencies are currently investigating the ransomware attack, having identified the type of ransomware used. However, detailed information about the attackers has not yet been disclosed. The UK’s National Cyber Security Centre is collaborating with the Department of Transport to delve deeper into the incident, indicating the seriousness with which the situation is being treated.
An internal memo from Heathrow Airport disclosed alarming news: over a thousand computers may have been compromised, and attempts to restore systems remotely were unsuccessful. Furthermore, it was revealed that the hackers may have persisted within the network even after Collins Aerospace attempted to restore services.
Technical Insights
Cybersecurity expert Kevin Beaumont has been analyzing the attack and suggests that it primarily affected ARINC communications and information processing services, specifically their SelfServ vMUSE systems. Beaumont highlighted concerning gaps in security for various ARINC-related systems, pointing out that dozens appeared to be exposed to the internet without crucial security measures in place.
Moreover, users who rely on the ARINC systems faced login failures, further complicating the response to the disruption. Collins Aerospace had previously indicated that it was nearing completion of software updates necessary for bringing systems back online, but uncertainties remain about whether these updates were applied before or after the intrusion was discovered.
Speculations on the Attackers
While the identity of the attackers remains unclear, there are speculations linking the incident to the ShinyHunters cybercrime group. Notably, this group’s partner, the Scattered Spider gang, has a history of targeting the aviation sector. Despite claims from these groups of retiring from such activities, skepticism exists within the cybersecurity community, with some evidence suggesting that they continue to engage in cyberattacks.
Broader Implications
This incident serves as a reminder of the vulnerabilities within the aviation industry, especially regarding cybersecurity. As businesses increasingly rely on interconnected technology systems, the importance of robust security measures becomes even more crucial. The impact of the Collins Aerospace cyberattack highlights the need for ongoing vigilance and proactive defenses to protect critical infrastructure.
For those involved in the aviation sector or relying on these services, staying informed about cybersecurity practices and developments will be essential as the investigation unfolds. As authorities work to determine the full scope of the breach and implement necessary corrective measures, the repercussions of this event may encourage broader discussions within the industry about cybersecurity resilience and strategy.
