Everest ransomware group claims Collins Aerospace breach tied to EU airport chaos — what we know and what it means

NEWS

Introduction: a high-impact supply-chain hit on aviation IT

In September 2025, a cyberattack against Collins Aerospace (an RTX company) disrupted passenger processing across several major European airports by impacting MUSE (Multi-User System Environment), a common check-in/boarding platform used by multiple airlines. National authorities and the vendor confirmed the incident as ransomware. In mid-October, the Everest ransomware group publicly claimed responsibility for breaching Collins, linking itself to the September airport disruption.

In brief

  • What happened: Collins Aerospace suffered a cyber incident that affected systems supporting its MUSE passenger processing software, leading to check-in outages and manual fallback at airports including Brussels, Berlin and London Heathrow.
  • Attribution claim: On Oct. 17–18, Everest posted Collins/RTX as a victim on its leak site, asserting a breach and teasing data publication.
  • Impact: Widespread delays/cancellations; Brussels Airport asked airlines to cancel large portions of departures while waiting for a secure update. Online/self-service check-in often remained functional.
  • Official posture: The UK NCSC said it is working with Collins and partners; Collins/RTX issued status updates as restoration proceeded.

Context / history / connections

Timeline highlights (all dates 2025):

  • Sept 19–21: Airports report “technical disruptions” escalating to major queues and cancellations as MUSE is affected.
  • Sept 22: EU cybersecurity agency acknowledgment (reported by major outlets) that the event was ransomware; authorities coordinate with the vendor and airports.
  • Sept 24: RTX posts a MUSE System Update, confirming a product cybersecurity incident involving ransomware on systems that support MUSE and describing restoration efforts.
  • Oct 17–18: Everest lists Collins/RTX on its leak site and claims the breach; industry press notes the claim while investigations and monitoring continue.

This incident underscores the fragility of shared, third-party operational platforms in aviation: a single software supplier servicing many airlines and airports can become a choke point for real-world operations.

Technical analysis / details of the vulnerability

Where MUSE sits: MUSE is a shared passenger processing platform that lets multiple airlines operate check-in desks and boarding gates on the same hardware and network segments. Because it’s multi-tenant by design and often integrated with departure control, baggage, and identity verification flows, availability is critical; segmentation and least-privilege must be rigorously enforced. RTX’s update confirms the ransomware affected systems that support MUSE, not necessarily every deployment equally (cloud, on-prem, or hybrid).

Observed failure modes during the incident:

  • Desk terminals running the shared platform were impacted, forcing staff to switch to manual processing.
  • Self-service kiosks / online check-in often remained available, suggesting blast radius differences between service tiers and integrations.

Threat actor posture: The Everest group operates a classic double-extortion model (encryption + data theft). Its public claim about Collins indicates either direct intrusion into vendor infrastructure or access via a connected third party. At the time of writing, the claim is public, but forensic and law-enforcement validation is not publicly detailed. Treat the claim as credible but unverified beyond the vendor’s ransomware confirmation.

Practical consequences / risks

  • Operational continuity risk: Centralized airport processes (DCS, CUTE/CUPPS, bag drop, gates) can be simultaneously degraded across multiple hubs if a shared vendor is hit.
  • Safety risk (indirect): While air traffic control/safety systems were not impacted, prolonged manual workarounds increase human-factor risk (misrouted baggage, boarding errors).
  • Data exposure risk: Everest’s claim implies exfiltration; sensitive data (configuration, credentials, PII from passenger flows) could be at risk if present in affected systems. Confirmation is pending from official sources; monitor for disclosures.
  • Sector spillover: Ransomware crews target high-leverage vendors for reputational impact and bargaining power—part of a broader shift tracked by major outlets and agencies.

Operational recommendations / what to do next

For airports and airlines using shared platforms (MUSE or equivalents):

  1. Supplier risk deep-dive: Re-assess vendor SBOMs, backup/restore designs, recovery time objectives, and isolation controls for shared kiosks vs. agent desktops. Require evidence of recent tabletop exercises specifically for ransomware impacting SaaS/on-prem support systems.
  2. Network segmentation & zero trust: Enforce strict segmentation between check-in endpoints, kiosks, baggage sortation, and airline corporate networks. Use per-tenant access policies and just-in-time admin.
  3. Credential hygiene: Rotate credentials (service accounts, API keys, SSO trust) that touch vendor systems; monitor for token replay and anomalous OAuth flows.
  4. Hardening endpoints at the edge: Kiosk/desk images should be immutable, application-whitelisted, and auto-reprovisionable. Disable local admin; broker updates from signed, verified channels only.
  5. Data minimization: Ensure passenger PII cached at the edge is ephemeral; disable unnecessary logs.
  6. Continuity playbooks: Maintain paper/manual check-in SOPs with staff training; pre-stage offline boarding contingencies (e.g., fallbacks for weight & balance, bag reconciliation).
  7. Third-party monitoring: Subscribe to vendor compromise indicators and telemetry channels; integrate them into SIEM/SOAR for automated containment.
  8. Legal & comms alignment: Pre-draft notification language for GDPR/PII exposure and airport-wide passenger communications to reduce confusion and queues.

Differences / comparisons with other cases

Unlike many “single-tenant” ransomware events that confine blast radius to one company, this case targeted a multi-tenant, operational platform whose unavailability immediately affected multiple airports and airlines—a force-multiplier typical of modern supply-chain attacks. Reuters and AP reporting around this incident emphasized the scale of disruption compared to ordinary enterprise outages.

Summary / key takeaways

  • A ransomware incident at Collins Aerospace systems supporting MUSE triggered airport-wide processing disruption across Europe in Sept 2025.
  • Everest has claimed the Collins breach (Oct 2025), linking itself to the September chaos; treat attribution as claimed, not yet officially confirmed.
  • The event demonstrates the outsized risk posed by shared operational platforms and reinforces the need for segmentation, immutable endpoints, and robust continuity playbooks.

Sources / bibliography

  • UK National Cyber Security Centre (NCSC) — statement on the Collins Aerospace incident. (NCSC)
  • RTX (Collins Aerospace) — MUSE System Update (vendor confirmation of ransomware impact on systems supporting MUSE). (RTX)
  • Associated Press — Airport cyberattack disrupts more flights across Europe (impact details and mitigation context). (AP News)
  • Reuters — coverage confirming ransomware context and industry implications. (Reuters)
  • CyberNews — Everest ransomware group claims Collins Aerospace breach (attribution claim and leak-site context). (Cybernews)

Related Posts