1. Executive Summary

In September 2025, Collins Aerospace (a division of RTX Corporation) was targeted in a sophisticated cyberattack attributed to the Everest ransomware group. The incident led to severe disruptions at multiple major European airports, affecting check-in and baggage systems and causing widespread travel delays. This report synthesizes intelligence from leading cybersecurity news outlets, technical analysis, and official statements to provide a comprehensive view of the attack, its impact, and the threat actor ecosystem.

2. Timeline of Events

• September 10, 2025: Everest gains unauthorized access to Collins Aerospace’s vMUSE backend via compromised FTP credentials.
• September 11, 2025: Everest exfiltrates data before access is detected and blocked.
• September 15, 2025: Everest contacts RTX via the vulnerability reporting portal, listing stolen data and ransom terms.
• September 16–18, 2025: Negotiations between Everest and Collins Aerospace break down.
• September 19, 2025: Collins Aerospace reports a “cyber-related disruption” to aviation authorities; major European airports begin experiencing check-in and baggage system outages.
• September 20–22, 2025: Heathrow, Brussels, Berlin, Dublin, and Cork airports confirm disruptions, switch to manual operations, and warn passengers of delays and cancellations.
• September 24, 2025: UK authorities arrest and release a suspect; investigation continues.
• September 29, 2025: Replacement systems are rolled out at affected airports, ending the period of travel disruption.

3. Affected Airports and Impact

Confirmed Impacted Airports

‍

‍

Details:

• Automated check-in and baggage systems were disabled, forcing manual operations.
• Delays and cancellations affected thousands of passengers.
• Some airports reported issues for up to a week.

4. Attack Details & Technical Indicators

Attack Vectors

• Initial Access: Everest exploited legacy FTP credentials (aiscustomer, muse-insecure) on ftp.arinc.com, traced to a 2022 RedLine infostealer infection on a Collins Aerospace employee’s device.
• Data Exfiltration: Everest claims theft of:
  • 1,533,900 passenger records (frequent flyer details, travel data, seat numbers, passenger IDs)
  • 3,637 airline employee records (names, usernames, aliases, emails, login status, audit metadata)
  • 50GB+ of network, user, and application topology files (workstation naming, device IDs, application stack fingerprints, audit logs, network segmentation, operational airline codes)
• Infrastructure: FTP server (ftp.arinc.com) was the primary exfiltration point; credentials were never rotated after the 2022 infection.

MITRE ATT&CK Mapping

• Initial Access (TA0001): Spearphishing Attachment (T1566.001) – legacy credential compromise via infostealer.
• Execution (TA0002): User Execution (T1204) – malware requiring user interaction.

Dual Incident Dynamics

• Everest: Conducted data exfiltration, did not deploy ransomware, acted as initial access broker.
• Separate Ransomware Group: Deployed ransomware on Collins Aerospace’s MUSE system, causing operational shutdowns and airport disruptions.

5. Threat Actor Profile: Everest Ransomware Group

Overview

Everest is a Russian‑speaking cybercriminal operation active since late 2020. It began as a double‑extortion ransomware crew and increasingly operates as an Initial Access Broker (IAB), selling footholds into victim networks alongside classic encrypt‑and‑extort activity. Targeting spans healthcare, government, manufacturing, technology, finance, and retail across North America, Europe, and Asia.

Affiliations and Ecosystem

Affiliations (evidence‑based):

• Public reporting shows Everest courting insiders for paid access and advertising network access on its dark‑web/Telegram channels—behavior typical of IABs.
• Multiple sources describe IAB activity by Everest since 2021–2023 (selling VPN/RDP access, etc.).

What is not confirmed:

• No confirmed operational tie to Warlock/Storm‑2603. Those are tracked as separate actors. Overlap in victim types or tactics with LockBit/Black Basta reflects the broader affiliate ecosystem rather than a proven partnership.

Operational model:

• Hybrid monetization: direct extortion, data theft for sale, and brokering of network access. Everest flexes between these modes based on opportunity and risk.

Tactics, Techniques, and Procedures (TTPs)

Initial Access

• Valid/weak credentials and exposure of external remote services (RDP/VPN).
• Phishing with infostealers (e.g., RedLine) to harvest credentials; occasional insider purchase offers.

Post‑compromise

• Use of common red‑team/C2 tooling (e.g., Cobalt Strike, Meterpreter).
• Lateral movement, privilege escalation, staging with archivers (e.g., WinRAR) prior to exfiltration.

Exfiltration & Monetization

• Bulk data theft via standard protocols and file‑transfer tooling (FTP/SFTP/HTTP).
• When advantageous, sells access on broker channels instead of deploying ransomware.

Extortion

• Data‑leak‑site (DLS) postings, strict deadlines, and threats to leak.
• Known to apply negotiation pressure with limited or delayed proof, depending on leverage.

Notable Incidents (claims vs. confirmation)

• Collins Aerospace / RTX (Sept 2025): Airport check‑in disruptions widely reported. Everest later claimed responsibility. Treat as claim‑based attribution pending artefacts that directly link Everest beyond statements.
• BMW (Sept 2025): Everest claimed data theft (e.g., audit files). No public, company‑side confirmation of Everest attribution; treat as claim.
• Allegis Group (Sept 2025): Everest listed the company on its DLS; treat as claim pending validation.
• Healthcare (2024–2025): U.S. healthcare sector advisories highlight Everest activity; multiple providers appear on listings/leak claims.

Correction: Colonial Pipeline (May 2021) was DarkSide, not Everest. Do not include it under Everest’s victim history.

Motivation and Goals

• Primary: Financial gain via extortion, data theft, and sale of network access.
• Secondary: Opportunistic pursuit of high‑profile brands for leverage and reputation; no assessed ideological motive.

Sophistication and Risk

Tradecraft

• Effective credential operations; living‑off‑the‑land plus commodity C2; stealthy staging/exfil.
• Ability to pivot between encrypt‑and‑extort and IAB resale to maximize ROI and reduce exposure.

Risk to Organizations

• High for critical infrastructure, aviation/defense supply chains, and healthcare due to potential operational impact, PII/PHI exposure, and regulatory penalties.

6. Official and Law Enforcement Response

• RTX Corporation: Publicly acknowledged a “cyber-related disruption” affecting airport check-in systems.
• ENISA (EU Cybersecurity Agency): Confirmed ransomware as the cause of the automated check-in system outages.
• UK National Cyber Security Centre (NCSC): Identified the malware strain and attacker group, suspecting ransomware affiliates.
• UK Authorities: Arrested and released a suspect; investigation ongoing.

7. Supply Chain & Business Impact

• Operational Impact: Major disruptions at five European airports, affecting thousands of flights and passengers.
• Supply Chain Risk: Attack highlights vulnerabilities in aviation infrastructure and the interconnectedness of critical systems.
• Sector Vulnerability: Aviation and defense sectors are prime targets due to sensitive data, operational dependencies, and supply chain complexity.

8. Recommendations

• Credential Hygiene: Regularly audit and rotate credentials, especially for legacy systems and critical infrastructure.
• Incident Response: Rapid containment and forensic analysis of compromised infrastructure (e.g., FTP servers).
• Threat Intelligence Sharing: Collaborate with authorities (ENISA, NCSC) for attribution and mitigation.
• Monitor RaaS Ecosystems: Track ransomware groups and affiliates to anticipate future attacks.
• Network Segmentation: Limit lateral movement and exposure of critical systems.
• Supply Chain Visibility: Enhance monitoring and risk assessment across all vendors and partners.

9. Source List

• CyberNews
• Cyber Daily
• http://InfoStealers.com
• SC Media
• Security Affairs
• BBC News
• (via CyberNews)
• ENISA, RTX Corporation SEC filings, UK NCSC statements

10. Key Takeaways

• Everest ransomware group credibly attributed to the data exfiltration attack on Collins Aerospace, leveraging compromised FTP credentials from a prior infostealer infection.
• Major European airports (Heathrow, Brussels, Berlin, Dublin, Cork) suffered significant operational disruptions, confirmed by multiple aviation authorities and cybersecurity agencies.
• Dual attack scenario: Everest exfiltrated data, while a separate group deployed ransomware, causing system shutdowns.
• Threat actor ecosystem: Everest is part of a complex, global ransomware-as-a-service network with ties to multiple high-profile groups.
• Business impact: The incident demonstrates the risks posed by legacy credential exposure and the interconnectedness of critical infrastructure systems.

‍

‍