The European Union’s ENISA cyber security agency and the UK’s National Cyber Security Centre (NCSC) are among those activating resources after a ransomware attack on the systems of Collins Aerospace – a supplier of business and commercial aviation services – caused flight cancellations and delays across Europe.
Neither North Carolina-headquartered Collins nor its parent organisation, RTX – which also operates aerospace and defence organisations Pratt and Whitney and Raytheon – have disclosed any further information beyond the fact that they are responding to a cyber incident.
Nevertheless it is understood that the attack was first detected late on Friday 19 September and spilled over into Saturday. It caused disruption at airports including Heathrow, Berlin Brandenburg, Brussels and Dublin as staff fell back on manual procedures.
The core system impacted was Collins’ ARINC Multi-User System Environment (Muse) software platform, which runs services such as electronic check-in and baggage management, and is designed to enable airlines to share staff and passenger-facing resources such as check-in desks and automated kiosks, reducing complexity and expense.
ENISA confirmed that the disruption was caused by ransomware earlier on Monday 22 September.
In a statement circulated to media, a spokesperson said: “ENISA is aware of the ongoing disruption of airports’ operations, which were caused by third-party ransomware incident. At this moment, ENISA cannot share further information regarding the cyber attack.”
A spokesperson for the NCSC said: “We are working with Collins Aerospace and affected UK airports, alongside Department for Transport and law enforcement colleagues, to fully understand the impact of an incident.
“All organisations are urged to make use of the NCSC’s free guidance, services and tools to help reduce the chances of a cyber attack and bolster their resilience in the face of online threats.”
In a statement issued on Monday, a Heathrow spokesperson said: “Work continues to resolve and recover from an outage of a Collins Aerospace airline system that impacted check-in. We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate.
“We encourage passengers to check the status of their flight before travelling to Heathrow and to arrive no earlier than three hours for long-haul flights and two hours for short-haul.”
Attackers’ identity unconfirmed
The exact cause of the cyber attack, and the identity of the threat actor[s] responsible, remains unknown as of the time of writing. Despite indications earlier in the year that the Scattered Spider hacking collective was targeting organisations operating in the aviation sector, no link to the group has been established.
ESET global cyber security advisor, Jake Moore, said: “When the supply chain is attacked in the aviation industry, the disruption hits on a damaging global scale. Since the outage stems from a third-party provider for check-in and boarding systems, it shows how a single point of failure can ripple quickly across multiple countries causing widespread problems.
“Like any industry, airports and airlines must ensure they can fall back on manual or alternative systems smoothly but this is made more difficult with such a preciously managed environment.
“Regulators need to tighten standards even more for critical aviation IT suppliers but whether this was a deliberate disruption attack, a financially motivated ransom or a major technical failure, the impact demonstrates how fragile such systems can be in a digitally focused world,” he added.
