The Everest ransomware gang claimed responsibility for a cyberattack on Collins Aerospace, a critical subsidiary of RTX (Raytheon Technologies), disrupting operations at major European airports, including Heathrow (London), Brussels, and Berlin. The attack targeted Muse software, crippling check-in and boarding systems, leading to flight delays, cancellations, and forced manual operations. Collins Aerospace is a key provider of avionics, mission systems, and defense technologies for commercial, military, and space applications, making it a high-value target in the global aerospace and defense supply chain. The breach raised concerns over potential access to classified or sensitive data, threatening national security, defense readiness, and critical infrastructure integrity. The Everest group’s leak site briefly vanished post-claim, fueling speculation of law enforcement intervention, panic, or strategic retreat due to the target’s sensitivity. The incident underscores the evolving ransomware threat, where attacks transcend financial extortion to geopolitical disruption, eroding trust in essential aviation and defense systems. The cascading impact on airport operations and military supply chains highlights vulnerabilities in interconnected critical infrastructure, demanding enhanced cross-sector cybersecurity collaboration to mitigate future risks.
TPRM report: https://www.rankiteo.com/company/collins-aerospace
"id": "col4492344101825",
"linkid": "collins-aerospace",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Passengers at Heathrow '
'(London), Brussels, Berlin '
'airports',
'industry': ['Aerospace', 'Defense', 'Avionics'],
'location': 'USA (global operations)',
'name': 'Collins Aerospace',
'size': 'Large (major player in defense/aviation)',
'type': 'Subsidiary'},
{'customers_affected': 'Passengers (flight '
'delays/cancellations)',
'industry': 'Aviation',
'location': 'London, UK',
'name': 'Heathrow Airport',
'size': 'Large',
'type': 'Airport'},
{'customers_affected': 'Passengers (flight '
'delays/cancellations)',
'industry': 'Aviation',
'location': 'Brussels, Belgium',
'name': 'Brussels Airport',
'size': 'Large',
'type': 'Airport'},
{'customers_affected': 'Passengers (flight '
'delays/cancellations)',
'industry': 'Aviation',
'location': 'Berlin, Germany',
'name': 'Berlin Airport',
'size': 'Large',
'type': 'Airport'},
{'industry': ['Defense', 'Aerospace'],
'location': 'USA',
'name': 'RTX (formerly Raytheon Technologies)',
'size': 'Large (global defense contractor)',
'type': 'Parent Company'}],
'attack_vector': ['Exploited vulnerability in Muse software',
'Potential initial access broker involvement'],
'data_breach': {'data_exfiltration': 'Unconfirmed (Everest gang claimed '
'breach but leak site vanished)',
'sensitivity_of_data': 'Potentially high (aviation/defense '
'systems data)'},
'date_detected': '2025-09',
'date_publicly_disclosed': '2025-10-18',
'description': 'A cyberattack on Collins Aerospace, a subsidiary of RTX '
'(formerly Raytheon Technologies), disrupted check-in and '
'boarding systems at major European airports (Heathrow, '
'Brussels, Berlin) in September 2025. The Everest ransomware '
'gang claimed responsibility, but their leak site vanished '
'shortly after posting the claim, raising speculation of a '
'takedown or strategic retreat. The attack targeted Collins’ '
'Muse software, causing flight delays, cancellations, and '
'manual operations. The incident highlights risks to critical '
'aviation and defense infrastructure, with potential '
'implications for national security.',
'impact': {'brand_reputation_impact': 'Significant (trust erosion in '
'aviation/defense supply chain)',
'customer_complaints': 'Likely high (due to flight disruptions)',
'downtime': ['Flight delays',
'Flight cancellations',
'Manual operations at Heathrow, Brussels, Berlin '
'airports'],
'operational_impact': 'Severe disruption to airport operations '
'across major European hubs',
'systems_affected': ['Check-in systems',
'Boarding systems',
'Muse software']},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (Everest gang '
'may act as broker)',
'high_value_targets': ['Muse software',
'Avionics/defense systems '
'data']},
'investigation_status': 'Ongoing (as of 2025-10-18)',
'lessons_learned': ['Supply chain attacks can disrupt critical infrastructure '
'(aviation/defense) with cascading effects.',
'Ransomware groups (e.g., Everest) may act as access '
'brokers, increasing attack complexity.',
'Traditional perimeter security is insufficient; '
'visibility across supply chains and segmented '
'architectures are essential.',
'Rapid takedowns of leak sites (e.g., Everest’s) suggest '
'law enforcement or threat actor panic, but motives '
'remain unclear.',
'Attacks on defense/aviation suppliers can erode trust in '
'national security systems beyond financial damage.'],
'motivation': ['Financial Extortion',
'Disruption of Critical Infrastructure',
'Potential Geopolitical Impact'],
'post_incident_analysis': {'root_causes': ['Potential vulnerability in '
'Collins’ Muse software',
'Supply chain exposure in '
'aviation/defense sector',
'Possible initial access broker '
'involvement']},
'ransomware': {'data_exfiltration': 'Claimed but unconfirmed',
'ransomware_strain': 'Everest'},
'recommendations': ['Strengthen supply chain cybersecurity through continuous '
'monitoring and third-party risk assessments.',
'Implement segmented network architectures to limit '
'lateral movement in critical infrastructure.',
'Enhance international cooperation between private '
'sector, law enforcement, and cyber defense agencies.',
'Develop resilient manual backup systems for critical '
'operations (e.g., airport check-in/boarding).',
'Monitor dark web for stolen access or data related to '
'defense/aviation sectors.'],
'references': [{'date_accessed': '2025-10-18',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/154220/cyber-crime/everest-collins-aerospace-breach.html'}],
'response': {'law_enforcement_notified': 'Likely (speculation of takedown '
'action against Everest leak site)',
'recovery_measures': 'Manual operations implemented during '
'outage'},
'threat_actor': 'Everest Ransomware Gang',
'title': 'Collins Aerospace Supply Chain Attack by Everest Ransomware Gang',
'type': ['Supply Chain Attack', 'Ransomware', 'Operational Disruption']}