Aerospace and defense giant RTX (formerly Raytheon Technologies) has officially confirmed that airport services have been disrupted as a result of a ransomware attack.
The company said in an SEC filing that it became aware of the cybersecurity incident on September 19. The disclosure does not mention Collins Aerospace, the subsidiary that offers the impacted airport check-in and boarding solutions.
RTX confirmed that customers have resorted to backup and manual processes, which has led to flights being delayed and cancelled.
The company explained that ransomware was found on “systems that support its Multi-User System Environment (MUSE) passenger processing software,” adding, “This software enables multiple airlines to share check-in and gate resources at airports, including baggage handling. The MUSE airport systems operate outside of the RTX enterprise network, residing on customer-specific networks.”
It’s worth noting that major companies don’t often specifically confirm being targeted in a ransomware attack and instead their SEC filings typically describe a more generic “cyber incident”.
RTX has not mentioned anything about personal or other types of data being stolen in the attack.
The company says its investigation into the incident and its impact is ongoing, but does not expect it to have a material impact on its financial condition and operations.
On the other hand, it appears that impacted European airports are still experiencing delays due to the incident. It has been reported that the vendor has been having difficulties removing the ransomware from its systems, which have become reinfected following cleanup attempts.
Two cybersecurity experts, Kevin Beaumont and Dominic Alvieri, have independently confirmed that the attack involved an obscure piece of ransomware called HardBit.
HardBit emerged in October 2022. Cybercriminals are using the ransomware to encrypt files on compromised systems and they claim to steal data from victims, but the operation does not appear to have a website where victims are named and data is leaked.
It’s still unclear exactly who is behind the attack on Collins Aerospace. The HardBit ransomware is offered under an affiliate program and anyone could have used it to target the company.
A 40-year-old man was arrested in the UK this week as part of an investigation into the incident, but he has been released on bail and authorities have not shared any information on his identity or potential affiliation.
Related: Cyberattack On Russian Airline Aeroflot Causes the Cancellation of More Than 100 Flights
