Collins Aerospace, a subsidiary of RTX, suffered a **HardBit ransomware attack** targeting its **ARINC vMUSE software**, a critical system used by multiple airlines for check-in and boarding operations across European airports (Heathrow, Brussels, Berlin Brandenburg). The attack disrupted flight operations for days, forcing airlines to revert to **manual pen-and-paper processes**, causing **hundreds of delays and cancellations** since September 19. The incident response faced severe challenges, with systems **repeatedly reinfected** due to poor security hygiene, as noted by cybersecurity researcher Kevin Beaumont. The ransomware variant, described as 'incredibly basic,' evaded detection despite being flagged by legacy antivirus tools. While delays are gradually decreasing, the attack exposed **supply chain vulnerabilities**, compromised operational efficiency, and eroded public trust in aviation infrastructure. The UK’s National Crime Agency (NCA) arrested a suspect in connection with the attack, but the financial and reputational fallout for Collins Aerospace and affected airlines remains significant. The company engaged internal/external cybersecurity experts and law enforcement, but recovery efforts continue amid ongoing disruptions.
Source: https://www.infosecurity-magazine.com/news/nca-arrest-hardbit-ransomware/
TPRM report: https://www.rankiteo.com/company/collins-aerospace
"id": "col1232412092525",
"linkid": "collins-aerospace",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'multiple airlines and airports '
'(e.g., Heathrow, Brussels, '
'Berlin Brandenburg)',
'industry': 'aerospace and defense',
'location': 'USA (owned by RTX)',
'name': 'Collins Aerospace',
'type': 'subsidiary'},
{'industry': 'aerospace and defense',
'location': 'USA',
'name': 'RTX (parent company of Collins Aerospace)',
'type': 'corporation'},
{'customers_affected': 'thousands of passengers',
'industry': 'aviation',
'location': ['Europe (Heathrow, Brussels, Berlin '
'Brandenburg)',
'potentially global'],
'name': 'Airlines using ARINC vMUSE software',
'type': 'organizations'}],
'attack_vector': ['exploit of ARINC vMUSE software', 'poor security hygiene'],
'data_breach': {'data_encryption': 'likely (ransomware)'},
'date_detected': '2023-09-19',
'date_publicly_disclosed': '2023-09-20',
'description': 'A suspected ransomware attack on Collins Aerospace, linked to '
'the HardBit ransomware variant, has caused widespread flight '
'delays and cancellations across Europe. The attack targeted '
'the ARINC vMUSE software used by airlines for check-in and '
'boarding operations. The UK’s National Crime Agency (NCA) '
'arrested a suspect in connection with the incident, which has '
'led to operational disruptions, including manual check-ins '
'with pen and paper. Recovery efforts have faced challenges '
'due to reinfections, highlighting poor security hygiene.',
'impact': {'brand_reputation_impact': 'high (widespread disruptions, negative '
'media coverage)',
'customer_complaints': 'likely (due to delays and cancellations)',
'downtime': {'details': 'Hundreds of flights delayed or cancelled; '
'manual check-ins (pen and paper) required '
'at airports including Heathrow, Brussels, '
'and Berlin Brandenburg.',
'duration': 'ongoing as of 2023-09-21 (third day)',
'end': None,
'start': '2023-09-19 (evening)'},
'operational_impact': {'boarding_process': 'manual (pen and paper)',
'check_in_process': 'manual (pen and paper)',
'flight_delays': {'Berlin Brandenburg': {'average_delay': '28 '
'minutes',
'percentage_delayed': '72%'},
'Brussels': {'average_delay': '26 '
'minutes',
'percentage_delayed': '80%'},
'Heathrow': {'average_delay': '17 '
'minutes',
'percentage_delayed': '56%'}}},
'systems_affected': ['ARINC vMUSE (Multi-User System Environment) '
'software']},
'initial_access_broker': {'high_value_targets': ['ARINC vMUSE software']},
'investigation_status': 'ongoing (early stages per NCA)',
'motivation': 'financial (ransomware)',
'post_incident_analysis': {'root_causes': ['poor security hygiene (e.g., '
'outdated AV detections)',
'reinfection during recovery']},
'ransomware': {'data_encryption': 'yes (confirmed in SEC filing)',
'ransomware_strain': 'HardBit'},
'recommendations': ['improve security hygiene (e.g., update AV detections)',
'seek external IR assistance (e.g., NCSC)',
'enhance containment strategies to prevent reinfection'],
'references': [{'date_accessed': '2023-09-20',
'source': 'UK National Crime Agency (NCA) statement'},
{'date_accessed': '2023-09-20',
'source': 'Collins Aerospace SEC filing'},
{'date_accessed': '2023-09-20',
'source': 'Kevin Beaumont (Mastodon post on HardBit '
'ransomware)'},
{'date_accessed': '2023-09-21',
'source': 'Airport Chaos Enters Third Day After Supply Chain '
'Attack (article)'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC filing',
'notifications to '
'domestic and '
'international law '
'enforcement']},
'response': {'communication_strategy': ['SEC filing', 'NCA public statement'],
'containment_measures': ['isolation of affected systems',
'attempted recovery (challenged by '
'reinfections)'],
'incident_response_plan_activated': 'yes (per SEC filing)',
'law_enforcement_notified': 'yes (UK NCA, domestic and '
'international authorities)',
'network_segmentation': 'ARINC vMUSE operates on '
'customer-specific networks (outside RTX '
'enterprise network)',
'recovery_measures': 'ongoing (with reinfection issues)',
'remediation_measures': ['recovery restarts',
'investigation with cybersecurity '
'experts'],
'third_party_assistance': 'yes (internal and external '
'cybersecurity experts)'},
'stakeholder_advisories': ['SEC filing', 'NCA statement'],
'title': 'Ransomware Attack on Collins Aerospace Disrupts European Flights',
'type': ['ransomware', 'supply chain attack']}