Article illustration 1

In a significant escalation of the fight against critical infrastructure cyberattacks, the UK's National Crime Agency (NCA) has arrested a suspect linked to the ransomware assault that crippled passenger processing systems at major European airports last week. The attack targeted Collins Aerospace's Multi-User System Environment (MUSE) software, a linchpin for shared check-in, gate management, and baggage handling operations across multiple airlines.

The NCA confirmed the arrest of a man in his forties in West Sussex, stating he was detained "on suspicion of Computer Misuse Act offences" following a collaborative investigation involving the South East Regional Organised Crime Unit (ROCU).


alt="Article illustration 2"
loading="lazy">

"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," emphasized Paul Foster, Head of the NCA’s National Cyber Crime Unit. The suspect has been released on conditional bail pending further inquiries.

The ransomware attack, detected on September 19th, caused immediate and widespread disruption. Airports including London Heathrow, Brussels Airport, Dublin, Cork, and Berlin Brandenburg reported significant technical difficulties, leading to cascading flight delays and cancellations. The MUSE platform, owned by RTX Corporation (formerly Raytheon Technologies), operates on customer-specific networks separate from RTX’s core enterprise systems, highlighting a supply chain vulnerability.

RTX, in an SEC filing, detailed its response: "Upon detecting the incident, the Company activated its incident response plan and promptly took steps to assess, contain, respond to, and remediate the incident." The $80 billion aerospace and defense giant is working with internal and external cybersecurity experts and has notified international law enforcement. Affected airlines and airports were forced to shift to back-up or manual processes, significantly hampering operations.

Why This Attack Resonates Beyond Aviation

This incident underscores several critical trends in cybercrime:
1. Targeting Operational Technology (OT): Attackers increasingly focus on software controlling physical operations, like MUSE, where disruption causes immediate, visible chaos and economic damage.
2. Supply Chain Leverage: Compromising a single vendor (Collins Aerospace) impacted multiple airlines and airports simultaneously, demonstrating the cascading risks inherent in shared infrastructure.
3. High-Impact Ransomware: The rapid operational paralysis illustrates how ransomware has evolved beyond data encryption to become a tool for disrupting essential services.

While the arrest marks progress, the ongoing investigation signifies the complexity of attributing and prosecuting cybercrimes impacting global infrastructure. The incident serves as a stark reminder for organizations reliant on third-party operational software: robust segmentation, air-gapped backups, and manual failover procedures aren't just best practices—they're essential for resilience when critical systems are weaponized. The skies may be clearing, but the security lessons from this grounded chaos will resonate long after the last flight delay is resolved.

Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/uk-arrests-suspect-for-rtx-ransomware-attack-causing-airport-disruptions/)