UK Arrests Suspect in RTX Ransomware Attack That Disrupted Airports
▼ Summary
– The UK’s National Crime Agency arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences linked to a ransomware attack.
– The cyberattack targeted Collins Aerospace’s MUSE passenger processing software, which is used by multiple airlines for check-in and gate operations at airports.
– RTX Corporation, the owner of Collins Aerospace, confirmed the attack is causing flight cancellations and delays at major European airports, including Heathrow and Brussels.
– The company detected the incident on September 19, activated its response plan, and is working with cybersecurity experts and law enforcement to investigate and remediate the issue.
– Cybersecurity sources suggest the attack involved basic ransomware variants like Hardbit or Loki, which are unusual for causing such widespread disruption.
A significant ransomware attack targeting Collins Aerospace’s Multi-User System Environment (MUSE) software has led to widespread flight disruptions across European airports, prompting an arrest by UK authorities. The incident highlights the critical vulnerabilities within essential aviation infrastructure.
The UK’s National Crime Agency (NCA) confirmed the arrest of a man in his forties in West Sussex on suspicion of offenses under the Computer Misuse Act. This development follows an intensive investigation into the cyberattack that crippled a key passenger processing platform used by numerous airlines. Officers from the NCA, with support from the South East Regional Organised Crime Unit (ROCU), carried out the operation. Paul Foster, who leads the NCA’s National Cyber Crime Unit, described the arrest as a positive step but emphasized that the investigation is still in its early phases. The suspect has been released on conditional bail while inquiries continue.
RTX Corporation, the parent company of Collins Aerospace, officially acknowledged the MUSE ransomware attack in a filing with the U.S. Securities and Exchange Commission. The company clarified that the MUSE software operates on customer-specific networks, separate from the main RTX enterprise network. This system is vital for airport operations, allowing multiple airlines to share check-in counters, boarding gates, and baggage handling resources. The attack was first detected last Friday, immediately triggering reports of flight delays that escalated into cancellations at major hubs.
Airports experiencing significant technical difficulties and travel chaos include London Heathrow, Brussels Airport, Cork and Dublin airports in Ireland, and Berlin Brandenburg Airport, among others. In response to the incident, RTX activated its comprehensive incident response plan. The company is working with internal and external cybersecurity experts to investigate the breach and has notified law enforcement agencies in multiple countries. Affected airlines and airports have been provided with technical support and have shifted to backup or manual processing systems to mitigate the impact.
While RTX has not disclosed specific details about the ransomware used, cybersecurity analyst Kevin Beaumont suggested the attackers deployed an “incredibly basic” variant known as Hardbit. However, conflicting reports from other sources indicate the involvement of Loki ransomware. Both Hardbit and Loki are Ransomware-as-a-Service (RaaS) programs, meaning affiliates can rent them to carry out attacks. It is unusual for these particular variants to cause such widespread disruption, as they are typically associated with smaller-scale incidents. The ongoing investigation aims to clarify the exact methods and tools used in this sophisticated attack on global air travel.
(Source: Bleeping Computer)
