UK Arrest Made in Collins Aerospace Ransomware Attack Investigation
Published
- Suspect arrested: The UK's NCA arrested a man in his forties in connection with the ransomware attack on Collins Aerospace.
- Widespread disruption: The incident caused significant delays and cancellations at the London Heathrow, Brussels, Berlin, and Dublin airports.
- Ransomware confirmed: RTX, the parent company of Collins Aerospace, confirmed in a regulatory filing that the incident involved ransomware.
The United Kingdom's National Crime Agency (NCA) has arrested a man in connection with the recent Collins Aerospace ransomware attack that caused extensive disruptions at airports across Europe. The incident crippled check-in systems provided by the aerospace technology firm, leading to significant operational challenges for several days.
Details of the Arrest and Ongoing Investigation
NCA officers, with support from the South East Regional Organised Crime Unit (ROCU), arrested a man in his forties in West Sussex on suspicion of offenses under the Computer Misuse Act. The suspect has since been released on conditional bail.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, stated that “although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing.”
“Investigating, tracking, finding, and arresting a cyber attacker is already a massive success, but an arrest is just a milestone in the long process of actually getting to trial and obtaining a conviction. It can take years to get from arrest to conviction,” said Andy Bennett, CISO at Apollo Information Systems.
The agency has not released further details about the individual or the specific nature of his alleged involvement. The NCA continues its work with partners to address the threat.
The EU cybersecurity agency ENISA announced on Monday that a ransomware attack was responsible for the airport disruptions, without providing further details.
In a filing with the U.S. Securities and Exchange Commission (SEC), RTX (formerly Raytheon Technologies), the parent company of Collins Aerospace, confirmed that the event was a ransomware incident, which reports say was a variant of the HardBit ransomware that keeps reinfecting the devices.
“HardBit is notable because prior variants tried to peg ransom demands to a victim’s insurance limits. One reason we train clients never to disclose coverage details,“ said Kirsten Maley, Director of Claims at Cowbell.
Experts’ Recommendations
Maley observes a broader trend, as operational outages are increasingly originating at vendors that serve multiple customers simultaneously.
Agnidipta Sarkar from ColorTokens emphasizes the need to review interconnected services and systemic risks, as a single point of failure can simultaneously cascade across multiple countries and sectors and enhance existing cybersecurity investments in EDR, SIEM, and others by integrating with a micro-segmentation platform to understand all possible points of breach and simulate supply chain isolation.
“Use a digital certificate-based passwordless credential system for all suppliers, which can deny credential misuse, and augment all the allowed paths with deception AI-enabled lures that can entrap attackers into honeypots,” Sarkar said.
Maley recommends that organizations:
- Map business-critical dependencies (check-in, payments, logistics, cloud), require vendor 24/7 incident contacts, and contractual breach-notice SLAs
- Test manual fallbacks
- Keep immutable/offline backups, verify restore times quarterly, and pre-stage golden images and credentials
- Enforce MFA everywhere, disable legacy authentication, monitor for impossible travel, and mass-consent app abuse
- Run joint exercises (legal, PR, ops) on vendor-outage scenarios; pre-approve escalation paths with counsel
- If extortion appears, notify insurers immediately to begin expert negotiations
Impact on European Airports
The Multi-User System Environment (MUSE) passenger processing software provided by Collins Aerospace works with check-in and gate resources at airports, including baggage handling, and operates outside of the RTX enterprise network, residing on customer-specific networks.
The cyberattack, reported on September 19, had a substantial impact on European airport disruptions, forcing airlines that used the MUSE platform to revert to manual check-in processes.
This resulted in long queues, widespread flight delays, and some cancellations at major hubs, including London Heathrow, Brussels, Berlin, and Dublin, as well as at some smaller airports. The disruption highlighted the vulnerability of critical aviation infrastructure to cyber threats.
This week, a suspected member of the Scattered Spider group surrendered and was arrested in Las Vegas.
In other recent news, the community rallied to replenish funds and dox the hacker who stole $32,000 from a cancer patient on live stream via a cryptodraining Steam game, only to boast expensive cars afterwards.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular