The Everest ransomware group has claimed responsibility for the September cyberattack on Collins Aerospace, a division of Raytheon Technologies Corporation (RTX), which triggered widespread disruptions at major European airports last month. The group alleges it exfiltrated over 50GB of sensitive data from the company’s systems and has issued an eight-day ransom deadline, though it has yet to provide any verifiable proof of its claims.
The attack, codenamed “MUSE-INSECURE,” reportedly targeted Collins Aerospace’s MUSE check-in software — a platform critical to airline passenger processing across multiple airports in Europe. On its dark web leak site, Everest posted five sections referencing the breach, including supposed FTP access lists and a message addressed directly to the company’s CEO. The group reset its ransom countdown on October 18, suggesting potential negotiations between Collins Aerospace and the attackers.
“Only manual check-in and boarding are possible. This has a large impact on the flight schedule and will, unfortunately, cause delays and cancellations of flights.” — Brussels Airport Statement
Cyberattack Triggered Major Airport Disruptions Across Europe
The incident began on September 19, when Collins Aerospace reported “technical issues” in its Arinc cMUSE system, which manages airline check-ins and baggage handling at dozens of airports. RTX later confirmed it was investigating a “cyber-related disruption” that primarily affected electronic passenger processing.
The outage forced airports across Europe — including Heathrow, Brussels, Berlin, Dublin, and Cork — to revert to manual operations for days, causing severe travel disruptions. ENISA, the European Union Agency for Cybersecurity, later confirmed ransomware was behind the attack.
According to early reports, approximately 1,000 computers were corrupted during the breach, all requiring in-person restoration. The attack exposed the aviation sector’s vulnerability to ransomware campaigns that target operational technology and critical infrastructure.
Everest’s Growing Track Record in High-Profile Attacks
Formed in 2021, the Everest ransomware group has grown into a prolific cybercrime collective, claiming more than 248 victims since 2023. Its recent attacks include alleged breaches at BMW, Allegis Group, Coca-Cola’s Middle East division, and multiple government and banking entities across the Middle East.
Everest gained early notoriety after its 2022 attack on AT&T, where it claimed access to the company’s internal network. The group has since evolved its tactics, focusing on extortion through data theft rather than file encryption. Analysts also suspect that Everest maintains connections to the BlackByte ransomware syndicate, known for targeting enterprise and critical infrastructure sectors.
While Everest’s authenticity is often questioned due to its failure to post stolen samples, cybersecurity experts warn that its persistent targeting of large corporations — and willingness to exploit aviation and defense supply chains — elevates the risk to both commercial and military systems.
The Aviation Industry’s Ransomware Problem
The Collins Aerospace incident underscores a broader trend: ransomware groups are increasingly focusing on the aviation and defense sectors, exploiting the operational dependency on interconnected systems and legacy infrastructure.
Recent victims include Jamco Aerospace (Play group), Stark Aerospace (INC Ransom), and Boeing, which confirmed operational disruption following a LockBit attack in late 2023. Airlines such as WestJet, Qantas, and Alaska Airlines have also been targeted in the past year.
Experts say attacks on aviation suppliers and infrastructure not only threaten passenger safety and service continuity but also expose national-security risks due to the sensitive nature of the data stored on these systems.
As for Collins Aerospace, the company has yet to confirm any ransom negotiations or data exposure, but its network disruption — and Everest’s public claim — highlight the critical importance of resilient supply-chain cybersecurity across the aviation ecosystem.
