The National Crime Agency (NCA) has made a significant arrest in connection with a ransomware attack that’s been wreaking havoc on airports across Europe. Following an investigation, the NCA arrested a man in his forties in West Sussex on suspicion of computer misuse offenses. This individual is linked to the cyberattack on Collins Aerospace’s Multi-User System Environment (MUSE) passenger processing software. The NCA confirmed the arrest was a positive step, but emphasized that the investigation is still in its early stages. Although he has since been released on conditional bail, the inquiry remains ongoing.
The attack, which was first detected on Friday, September 19, has caused a wave of flight cancellations and delays. Airports affected by the technical difficulties include major hubs like London’s Heathrow, Brussels Airport, and Dublin Airport, among many others. RTX Corporation, the parent company of Collins Aerospace, confirmed that the ransomware attack on its MUSE software was indeed behind the widespread disruptions. In a filing with the SEC, RTX explained that the MUSE systems operate on customer-specific networks, separate from the company’s own enterprise network.
Upon detecting the incident, RTX immediately activated its incident response plan to assess and contain the situation. The company is actively investigating the attack with the help of internal and external cybersecurity experts and has notified both domestic and international law enforcement. RTX is also providing technical support to the affected airlines and airports. Customers have shifted to using backup or manual processes to keep things moving, though flight delays and cancellations have still occurred as a result.
The specific type of ransomware used in the attack has been a point of contention among cybersecurity experts. While some sources, like cybersecurity expert Kevin Beaumont, claim the attackers used a simple ransomware variant called Hardbit, others have pointed to Loki ransomware. While these ransomware variants are not typically used in such large-scale attacks, both are Ransomware-as-a-Service (RaaS) programs, which means they can be used by any affiliate. The use of either variant in an attack with such a widespread impact is highly unusual.
The NCA’s arrest marks a crucial development in this case, but as authorities have noted, the investigation is far from over. With a suspect in custody and multiple law enforcement agencies involved, there is hope that more information about the attack’s origins and the full extent of its impact will soon come to light.
Reference:
