Overview
On 24 September 2025, the Everest ransomware group publicly claimed responsibility for the cyberattack on Collins Aerospace, a subsidiary of RTX (Raytheon Technologies). The group has listed Collins Aerospace on its dark web leak site and posted a password-protected message addressed to the company’s CEO, suggesting active extortion efforts.
Everest claims to have exfiltrated over 50 GB of sensitive data, including databases, FTP access lists, and files referencing internal systems. Among the leaked file titles is one called “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure,” appearing to reference Collins’ MUSE passenger processing platform – software widely used by airlines and airports across Europe.
The Everest group has directly linked this breach to the airport disruptions that occurred across Europe in September, asserting that the ransomware incident at Collins Aerospace caused the outages experienced at several major airports, including Heathrow.
If verified, this connection represents a major case of supply-chain ransomware impact in the aviation sector, where an upstream software vendor compromise disrupted multiple critical operations downstream.
What Happened?
The Everest ransomware group posted its claim on its public leak blog, which is known for high-profile corporate extortion cases. The listing included:
- A “Collins Aerospace (50GB+) DataBase” archive allegedly containing corporate and operational data.
- An “FTP Access List,” suggesting enumeration of credentials or network mappings.
- A file titled “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure,” implying exploitation of a MUSE software vulnerability.
- A password-protected message addressed to Collins Aerospace’s CEO, signaling direct negotiation or extortion attempts.
Although no actual data samples have been released at this time, Everest has published a countdown timer for disclosure, a typical tactic used to pressure victims into payment.
The group’s narrative connects the breach at Collins to the September airport disruptions across Europe, claiming their compromise of the MUSE platform was responsible for outages affecting passenger check-in and bag-drop systems. While this claim remains unverified, it aligns with earlier reports attributing the disruptions to a Collins Aerospace systems failure.
The mention of “MUSE-INSECURE” suggests that the attackers may have identified and exploited a vulnerability in MUSE, gaining unauthorized access to internal infrastructure and sensitive operational data. If confirmed, this would signify both a data breach and a ransomware-induced service disruption within one of aviation’s most critical technology suppliers.
Why This Matters for Aviation
The Collins Aerospace incident highlights a perfect storm of risks now facing the aviation industry: ransomware, supply-chain compromise, and operational dependency on centralized software vendors.
- Supply-Chain Vulnerability: Collins Aerospace provides passenger processing and airport operations solutions (including MUSE) to major airlines and airports. A ransomware attack at this level can cascade into widespread operational paralysis, as observed in September’s disruptions.
- Data Exfiltration and Extortion: The claim of more than 50 GB of stolen data – including databases and FTP lists – raises concern over the exposure of airport system credentials, airline configurations, and potentially passenger information.
- Software Exploitation Risk: The “MUSE-INSECURE” label indicates the attackers may have leveraged a software flaw within the MUSE system. Such vulnerabilities, if unpatched, could be exploited again by copycat groups or insiders.
- Operational and Safety Implications: Disruption of passenger processing directly affects airport throughput, aircraft turnaround times, and emergency response coordination. In critical infrastructures like aviation, operational downtime can translate into real-world safety risks.
- Reputational and Regulatory Impact: RTX and Collins Aerospace now face scrutiny under EU and U.S. cyber incident disclosure frameworks, as well as potential investigation by EASA and ENISA, given the link to European airport disruptions.
This case underscores how ransomware groups are increasingly targeting aviation technology suppliers – knowing that the operational impact can amplify ransom pressure exponentially.
Recommended Actions
1. Activate Incident Response and Forensic Investigation
Collins Aerospace and affected aviation partners should immediately activate their incident response plans, isolating compromised systems, preserving forensic evidence, and engaging digital forensics experts to determine breach scope and infection pathways.
2. Password Reset and Access Review
Perform an enterprise-wide password reset for internal accounts, service credentials, and FTP access. Conduct a complete access review, revoking unnecessary permissions and enforcing least-privilege principles across environments.
3. Patch MUSE and Related Systems
Conduct an urgent review of the MUSE platform and all associated infrastructure. If a vulnerability has been exploited, release and deploy patches immediately. Run penetration testing to identify further weaknesses that could allow lateral movement or privilege escalation.
4. Enhanced Monitoring and Threat Intelligence
Implement continuous threat monitoring and IOC detection to identify ransomware activity or persistence mechanisms. Aviation SOC teams should subscribe to threat intelligence feeds focused on ransomware TTPs, dark web leaks, and sector-specific vulnerabilities.
5. Communication and Coordination
Coordinate with airline customers, airports, and regulators to maintain transparency and ensure consistent messaging. Clear, factual communication helps mitigate reputational harm and supports sector-wide incident containment.
6. Supply-Chain Resilience Assessment
This event should prompt a cross-industry review of vendor dependency and software resilience. Aviation organizations should evaluate backup vendors, diversification of passenger-processing systems, and failover readiness for future supply-chain disruptions.
In Summary
The Everest ransomware group’s claim against Collins Aerospace marks one of the most consequential cyber incidents in recent aviation history. By linking their attack to the September airport outages, Everest has drawn attention to the fragility of aviation’s digital supply chain and the potential for a single ransomware infection to disrupt operations across multiple countries.
While the authenticity of Everest’s technical claims remains under investigation, the pattern is clear: ransomware groups are escalating their focus from airlines and airports to the core software providers that underpin them.This incident underscores the urgent need for supply-chain risk management, software vulnerability assessment, and rapid cross-sector information sharing within the aviation community.
