NCA Arrests HardBit Ransomware Suspect in Airport Attack
▼ Summary
– A man in his forties was arrested in West Sussex on suspicion of Computer Misuse Act offences in connection with a ransomware attack causing European flight delays.
– The cyber-attack targeted US firm Collins Aerospace’s ARINC vMUSE software, which is used by airlines for airport check-in and boarding operations.
– The incident has forced airlines to resort to manual, pen-and-paper processes, leading to significant and ongoing flight cancellations and delays.
– Recovery efforts have been problematic, with systems reportedly being repeatedly reinfected, which a security expert attributes to extremely poor security hygiene.
– As of Thursday morning, flight delay times were beginning to decrease at some major airports like Heathrow and Berlin, though they worsened in Brussels.
A significant arrest has been made in connection with a ransomware incident that has severely disrupted air travel across Europe. British investigators from the National Crime Agency (NCA) apprehended a suspect believed to be involved in the attack, which targeted critical airport systems and led to widespread flight cancellations and delays. This development marks a critical step in the ongoing investigation into the cyberattack that has impacted major airports for several days.
The NCA confirmed the arrest in a public statement, noting that officers took a man in his forties into custody in West Sussex. The individual was questioned on suspicion of offenses under the Computer Misuse Act before being released on conditional bail. Paul Foster, the deputy director leading the NCA’s National Cyber Crime Unit, emphasized the seriousness with which the agency views such threats. He described cybercrime as a persistent global issue that causes substantial disruption, affirming the NCA’s commitment to working with partners to protect the public.
Security analysts have since connected the disruptive attack on US technology firm Collins Aerospace to the HardBit ransomware group. Cybersecurity expert Kevin Beaumont reported that the variant involved appears to be remarkably basic, lacking even a dedicated portal for negotiations. The problems began on the evening of September 19th, when airports started experiencing technical failures. These issues were traced back to the ARINC vMUSE software, a platform developed by Collins Aerospace that enables multiple airlines to share check-in and boarding gate resources.
Collins Aerospace, a subsidiary of the defense giant RTX, confirmed in an SEC filing that ransomware had infected systems supporting the MUSE platform. The company clarified that these airport systems operate on separate customer networks, not within the corporate RTX environment. Upon discovering the breach, the firm activated its incident response plan, initiating steps to assess, contain, and remediate the situation.
However, the recovery process has encountered significant obstacles. According to Beaumont, remediation efforts have been repeatedly thwarted by reinfections, suggesting profound security shortcomings. He characterized the attack not as a sophisticated operation but as the result of extremely poor security practices, noting that basic, freely available antivirus tools could detect the malicious payloads. The ongoing technical challenges have forced airlines to resort to manual, pen-and-paper procedures for passenger check-in and boarding, leading to continued operational delays.
As of Thursday morning, the situation showed some signs of improvement, though delays persisted. At Heathrow Airport, 56 percent of departures were late, with an average delay of 17 minutes. Berlin Brandenburg Airport reported 72 percent of flights departing behind schedule, averaging 28 minutes late. Conversely, Brussels Airport saw conditions worsen, with 80 percent of morning flights delayed by an average of 26 minutes. Collins Aerospace has stated that its investigation, supported by internal and external cybersecurity professionals, remains active, and law enforcement agencies have been notified.
(Source: Info Security)
