Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Everest, the ransomware group responsible for disrupting air travel throughout Europe in September, says it will begin publishing data stolen in the attack within 48 hours.
Weeks after airports in the UK and Europe were forced to resort to manual pen-and-paper processes to manage boarding and check-ins following a disruptive cyber attack, a well-known ransomware actor has claimed to be behind the incident.
The Everest ransomware gang claimed responsibility for the cyber attack in an October 17 listing on its darknet leak site, and is planning to release several tranches of data allegedly exfiltrated during the incident.
One drop of data – to be under the heading “MUSE-INSECURE: Inside Collins Aerospace's Security Failure” – will be released within 48 hours of publication, alongside another dataset that the hackers claim is an “FTP Access List”.
Everest is planning another drop of data within eight days of what it says is a “Collins Aerospace DataBase Download”. The leak post also has another section titled “News for CEO,” though this is hidden behind a password, one which the threat actor has presumably supplied to RTX and/or Collins Aerospace.
The ransomware actor has not listed any ransom demand.
At the time of the initial attack, which took place on the evening of September 19, RTX – the owner of Collins Aerospace – said it was aware of a “cyber-related disruption” affecting the company’s software at several European airports, with Heathrow Airport, Dublin Airport, Berlin Airport, and Brussels Airport all reporting some level of disruption.
Days later, airports were still attempting to recover from the disruption, warning passengers of delays and cancellations.
“Work continues to resolve and recover from an outage of a Collins Aerospace airline system that impacted check-in,” Heathrow Airport said in a 22 September passenger notice on its website.
“We apologise to those who have faced delays, but by working together with airlines, the vast majority of flights have continued to operate.”
While the airports have now recovered from that initial disruption, it remains to be seen what impact, if any, any further releases of data may have.
Professor of Practice Nigel Phair of Monash University’s department of software systems and cyber security, said at the time that Australian airports should take note.
“The flight delays arising from the outage at Heathrow and other European airports for the electronic check-in and baggage drop show how technically interconnected flying is,” Phair said.
“It highlights the importance of third-party systems connecting airlines, airports and the IT integrators that keep operations running.
“While this hasn’t yet impacted any Australian airports, it demonstrates the need for Australian airlines to redouble their cyber security controls, especially after the recent Qantas data breach.”
The Everest ransomware group is a Russian-linked operation first observed in 2020. While it began as a data-theft-only extortion operation, it soon migrated to ransomware and encryption. It has claimed a total of 267 victims, including several high-profile international companies such as recent victims Mailchimp and BMW.
Collins Aerospace is one of three companies owned by RTX, alongside defence contractors Pratt & Whitney and Raytheon.
Cyber Daily has reached out to RTX for comment on the hackers’ claims.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
