A ransomware attack targeted Collins Aerospace’s **ARINC cMUSE software**, a critical system used by airlines to manage shared check-in desks and boarding gates at major European airports, including **London Heathrow, Brussels, and Berlin**. The attack—identified as a variant of **Hardbit ransomware**—caused **severe operational disruptions**, forcing airlines to revert to manual passenger processing. Recovery efforts were hampered by **repeated reinfections**, prolonging downtime. While no data breach was explicitly confirmed, the incident disrupted **flight operations, airline workflows, and customer experiences**, with lingering effects on check-in systems even after partial restoration. The attack’s **supply-chain nature** amplified its impact, affecting multiple airlines and airports simultaneously. Authorities, including the **UK’s National Crime Agency (NCA)**, arrested a suspect in the UK, but the investigation remains ongoing. The parent company, **RTX**, engaged cybersecurity experts and law enforcement, emphasizing the attack’s **global and persistent threat** to critical infrastructure.
Source: https://www.itpro.com/security/cyber-attacks/nca-confirms-arrest-after-airport-cyber-disruption
TPRM report: https://www.rankiteo.com/company/rtx
"id": "rtx0632706092525",
"linkid": "rtx",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Aviation/Technology',
'location': 'Global (HQ: USA)',
'name': 'Collins Aerospace',
'type': 'software supplier (aerospace)'},
{'industry': 'Aerospace/Defense',
'location': 'USA',
'name': 'RTX (parent company of Collins Aerospace)',
'type': 'conglomerate'},
{'industry': 'Aviation',
'location': 'London, UK',
'name': 'London Heathrow Airport',
'type': 'airport'},
{'industry': 'Aviation',
'location': 'Brussels, Belgium',
'name': 'Brussels Airport',
'type': 'airport'},
{'industry': 'Aviation',
'location': 'Berlin, Germany',
'name': 'Berlin Airports (e.g., BER)',
'type': 'airport'},
{'industry': 'Aviation',
'location': 'Europe (primarily UK, Belgium, Germany)',
'name': 'Multiple Airlines (using ARINC cMUSE)',
'type': 'airlines'}],
'attack_vector': 'Exploitation of ARINC cMUSE software (shared '
'check-in/boarding infrastructure)',
'customer_advisories': ['Airlines advised passengers on manual check-in '
'procedures'],
'data_breach': {'data_encryption': 'Ransomware encrypted ARINC cMUSE systems'},
'description': "A ransomware attack on Collins Aerospace's ARINC cMUSE "
'software caused significant disruption at London Heathrow, '
'Brussels, and Berlin airports, forcing airlines to manually '
'check in passengers. The attack was identified as a variant '
'of the Hardbit ransomware. A suspect in his 40s was arrested '
'in West Sussex, UK, under suspicion of Computer Misuse Act '
'offences. The investigation is ongoing, with speculation '
'about potential nation-state involvement (e.g., Russia), '
'though the arrest suggests a domestic actor. RTX (parent '
'company of Collins Aerospace) is coordinating with '
'cybersecurity experts, law enforcement, and affected '
'stakeholders to mitigate the incident. Most flights have '
'resumed normal operations, though some manual check-ins '
'persist.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Collins Aerospace/RTX and affected '
'airlines/airports',
'downtime': 'Partial (manual check-ins ongoing for some desks)',
'operational_impact': 'Major disruption at London Heathrow, '
'Brussels, and Berlin airports; manual '
'passenger processing required',
'systems_affected': ['ARINC cMUSE software',
'check-in desks',
'boarding gates']},
'initial_access_broker': {'high_value_targets': ['ARINC cMUSE software '
'(shared aviation '
'infrastructure)']},
'investigation_status': 'Ongoing (early stages; suspect arrested and released '
'on conditional bail)',
'lessons_learned': 'Highlighted vulnerabilities in supply chain attacks '
'(shared aviation software as single point of failure) and '
'challenges in ransomware recovery (reinfection risks). '
'Emphasized need for coordinated incident response '
'involving cybersecurity experts and law enforcement.',
'motivation': ['financial (ransomware)', 'disruption'],
'post_incident_analysis': {'corrective_actions': ['Technical support to '
'restore systems and '
'prevent reinfection.',
'Engagement with UK NCSC '
'for incident response '
'assistance.',
'Review of supply chain '
'security practices.'],
'root_causes': ['Exploitation of vulnerabilities '
'in ARINC cMUSE software (details '
'unspecified).',
'Potential insufficient '
'segmentation/isolation of shared '
'aviation systems.',
'Challenges in ransomware '
'containment (reinfection '
'issues).']},
'ransomware': {'data_encryption': True,
'ransomware_strain': 'Hardbit (variant)'},
'recommendations': ['Enhance supply chain cybersecurity for critical '
'infrastructure (e.g., aviation software).',
'Improve ransomware resilience (e.g., backup strategies, '
'reinfection prevention).',
'Strengthen collaboration between private sector and law '
'enforcement (e.g., NCA, NCSC).',
'Conduct post-incident reviews to address root causes '
'(e.g., software vulnerabilities, access controls).'],
'references': [{'source': 'ITPro', 'url': 'https://www.itpro.com/'},
{'source': 'Kevin Beaumont (Mastodon)'},
{'source': 'RTX SEC Filing'},
{'source': 'UK National Crime Agency (NCA) Statement'}],
'regulatory_compliance': {'legal_actions': ['arrest under Computer Misuse Act '
'(UK)'],
'regulatory_notifications': ['US SEC filing by RTX',
'notifications to '
'domestic/international '
'law enforcement']},
'response': {'communication_strategy': ['SEC filing by RTX',
'public statements by NCA',
'stakeholder updates'],
'containment_measures': ['technical support to airlines/airports',
'coordination with stakeholders'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['restoration of ARINC cMUSE systems',
'manual check-in processes as backup'],
'remediation_measures': ['recovery attempts (challenged by '
'reinfections)',
'assistance from UK NCSC suggested'],
'third_party_assistance': ['internal cybersecurity experts',
'external cybersecurity experts']},
'stakeholder_advisories': ['RTX communicating with customers '
'(airlines/airports)',
'NCA updates to public'],
'threat_actor': {'suspected_affiliation': ['potential nation-state (Russia '
'speculated)',
'domestic actor (UK arrest)']},
'title': 'Ransomware Attack on Collins Aerospace Disrupts Major European '
'Airports',
'type': ['ransomware', 'supply chain attack']}