The cybersecurity incident impacting Collins Aerospace, which led to disruptions at several major airports across Europe, was the result of a ransomware attack, according to the EU cybersecurity agency ENISA.
ENISA said the type of ransomware involved in the attack has been identified and law enforcement is conducting an investigation, but the agency did not share further information.
The cyberattack hit services provided by US-based Collins Aerospace, which is owned by RTX (formerly Raytheon). Collins Aerospace is one of the world’s largest suppliers of aerospace and defense solutions. The company was recently awarded a NATO contract for electromagnetic warfare solutions.
Collins technology is used at airports to enable passengers to check in, print boarding passes and luggage tags, and dispatch their bags. The cyberattack has impacted check-in and boarding systems at major airports, forcing them to turn to manual processes. This resulted in delays and flights being cancelled.
The incident has impacted airports in the UK, Germany, Belgium, and Ireland, including London’s Heathrow, Brussels Airport, and Berlin Brandenburg.
While Heathrow said a vast majority of its flights continued to operate and delays were not significant, Brussels Airport experienced substantial disruptions, reportedly asking airlines to cancel nearly 140 flights on Monday.
The UK’s National Cyber Security Centre issued a statement over the weekend to inform the public that it’s working with the country’s Department of Transport to investigate the incident.
An internal memo from London’s Heathrow airport, obtained by the BBC, revealed that over a thousand computers may have been corrupted and remote restoration is not possible. In addition, according to the memo, Collins found that the hackers had still been inside its network after it rebuilt and relaunched systems.
Cybersecurity expert Kevin Beaumont has been monitoring the incident and believes the attack hit ARINC communications and information processing services, specifically SelfServ vMUSE systems.
The researcher pointed out that dozens of ARINC-related systems appear to be exposed to the internet, and some of them seem to be lacking important security mechanisms.
Beaumont also noted that the incident led to users of the ARINC system at airports being unable to log into their accounts.
Collins previously said it was in the final stages of completing the software updates required to bring systems back online, but it’s unclear if that was before or after it discovered that hackers had still been inside its systems.
It’s unclear who is behind the attack, but DataBreaches suggested there is a possibility that it may be connected to the ShinyHunters cybercrime group, whose partner, the Scattered Spider gang, is known to have targeted the aviation industry.
Scattered Spider and ShinyHunters announced their retirement recently, but the industry is skeptical of their claims and evidence suggests that they continue carrying out attacks.
Related: Jaguar Land Rover Admits Data Breach Caused by Recent Cyberattack
Related: Air France, KLM Say Hackers Accessed Customer Data
Related: Cyberattack On Russian Airline Aeroflot Causes the Cancellation of More Than 100 Flights
