The U.K. National Crime Agency (NCA) carried out an arrest of a man in West Sussex in connection with the ongoing investigation into the cybersecurity incident affecting Collins Aerospace. The incident, reported last Friday, caused widespread flight delays and cancellations at major European airports, including Heathrow, Brussels, and Berlin, as authorities and the company worked to restore normal operations over the weekend.
“NCA officers, supported by the South East ROCU, arrested a man in his forties in West Sussex yesterday evening on suspicion of Computer Misuse Act offences,” the NCA disclosed in a statement. He has been released on conditional bail.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” Paul Foster, deputy director and head of the NCA’s National Cyber Crime Unit, added. “Cybercrime is a persistent global threat that continues to cause significant disruption to the UK. Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.”
Confirming a product cybersecurity incident involving ransomware on systems that support its Multi-User System Environment (MUSE) passenger processing software last Friday, RTX, which owns Collins Aerospace, detailed in a Wednesday Securities and Exchange Commission (SEC) filing that the software enables multiple airlines to share check-in and gate resources at airports, including baggage handling. “The MUSE airport systems operate outside of the RTX enterprise network, residing on customer-specific networks.”
“Upon detecting the incident, the Company activated its incident response plan and promptly took steps to assess, contain, respond to, and remediate the incident,” according to the filing. “The Company is diligently investigating the incident with the assistance of internal and external cybersecurity experts and has notified domestic and international law enforcement authorities and certain other government agencies.”
RTX is also communicating with customers and other stakeholders and providing technical support and guidance to affected airlines and airports. “Our customers have shifted to back-up or manual processes and have experienced certain flight delays and cancellations.”
Noting that while its investigation and assessment of this product cybersecurity incident is ongoing, RTX added that “it has not had a material impact and is not reasonably expected to have a material impact on the Company’s financial condition, business operations or results of operations.”
However, RTX did not provide further details about the incident, but cybersecurity expert Kevin Beaumont wrote in a Mastodon post that the attackers used an ‘incredibly basic’ ransomware variant known as HardBit.
“The Europe airlines ransomware situation is a variant of Hardbit ransomware, which doesn’t have a portal and is incredibly basic,” Beaumont identified. “They’ve had to restart recovery again as the devices keep getting reinfected.”
Adding that he has never seen an incident like it, he suggested that “somebody like the NCSC needs to go in and help them with IR.”
Public data on Harbit reveals that it is a ransomware strain that emerged in October 2022 and operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to deploy it in exchange for a share of the ransom. The malware encrypts files, changes the system wallpaper to a JPEG with instructions for contacting the attackers via Tox, a peer-to-peer messaging platform, to negotiate payment.
Uniquely, HardBit operators request details about the victim’s cyber insurance to tailor the ransom demand, a tactic that exploits insurance coverage to increase the chance of payment. By early 2024, HardBit had evolved to version 4.0, adding obfuscation and requiring a passphrase during execution. Operators can use either a command-line or a graphical interface, depending on skill level.
Organizations can defend against HardBit by maintaining offline backups, training staff on phishing, segmenting networks, deploying advanced endpoint protection, and having a robust incident response plan.
Since Friday, major international hubs, including London’s Heathrow, Brussels, and Berlin airports, have faced flight delays. Operations at Brussels Airport on Wednesday continued to be impacted, with 6% of flights being canceled, according to 7sur7.
At the same time, news outlet Watson reported flight cancellations and delays have been reported at Berlin Brandenburg on Wednesday.
“The company has informed us that it can take several more days to provide a functional system,” a Berlin Brandenburg spokesperson said. “This is very unfortunate and surprised us. Exactly when everything will work properly again is not foreseeable.”
Disruption at London Heathrow Airport eased significantly as Collins Aerospace confirmed an IT issue with the systems that it supplies to a number of airlines across Europe. “The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport and to arrive no earlier than three hours for long-haul flights and two hours for short-haul,” the airport said. “We are supporting affected airlines with their contingencies and have deployed additional colleagues in terminals to assist passengers,” it added.
CYFIRMA research released Tuesday assessed that Alixsec, Scattered Spider, and the Rhysida ransomware group are plausible actors, given their prior targeting patterns, history of high-profile disruptions, and demonstrated operational capabilities.
“On December 5, 2024, the threat group Alixsec reportedly announced intentions to target multiple UK critical infrastructure sites, including transportation, media, banking, defense, and government organizations, with London Heathrow Airport mentioned,” the research report added. “Their statements indicate a focus on high-value operational nodes, highlighting potential risks to airport operations, public services, and national infrastructure, underscoring the need for increased monitoring and defensive preparedness.”
In July, the Federal Bureau of Investigation (FBI) warned that the cybercriminal group Scattered Spider has been expanding its attacks to the airline sector. The group relies on social engineering, often impersonating employees or contractors to trick IT help desks into granting access.
