Russia-Linked Hackers Claim Responsibility for Collins Aerospace Hack: A Deep Dive

Estimated reading time: 10 minutes

Key Takeaways:

  • Everest ransomware group claims responsibility for hacking Collins Aerospace, an RTX subsidiary.
  • The attack caused disruptions to air travel throughout Europe, affecting several major airports.
  • This incident highlights the importance of supply-chain risk monitoring and proactive cyber threat intelligence.
  • Organizations must enhance their incident response planning and employee training to mitigate cyber risks.
  • PurpleOps offers specialized services, including cyber threat intelligence and supply chain information security, to protect against such threats.

Table of Contents:

The cybersecurity landscape is constantly in flux. Recent reports indicate a significant breach affecting a major player in the aerospace industry. Everest, a Russia-linked ransomware group, has claimed responsibility for hacking Collins Aerospace, an RTX (formerly Raytheon Technologies) subsidiary, after disruptions to air travel throughout Europe in September. This post analyzes the details of the attack, its potential impact, and the broader implications for cybersecurity, including threat intelligence and supply-chain risk monitoring.

Everest Claims Responsibility for Collins Aerospace Hack

On October 17, 2025, the Everest ransomware group announced on its darknet leak site that it was responsible for the cyberattack on Collins Aerospace. The group threatened to release data allegedly exfiltrated during the incident. This marks another high-profile attack claimed by Everest, which has previously targeted companies such as Mailchimp and BMW. This incident underscores the need for comprehensive cyber threat intelligence platform solutions that can provide proactive alerts and insights into emerging threats.

Details of the Attack and Data Release Schedule

Everest stated it would release data stolen in the attack, with the initial release planned within 48 hours of their announcement. This first data dump was to be under the heading “MUSE-INSECURE: Inside Collins Aerospace’s Security Failure” and would include an “FTP Access List.” Another data release was planned for eight days later, purportedly containing a “Collins Aerospace DataBase Download.” The group also posted a section titled “News for CEO,” which was password-protected and presumably intended for RTX and/or Collins Aerospace. The ransomware actor has not listed any ransom demand.

Impact on European Airports

The initial attack took place on the evening of September 19, causing what RTX described as a “cyber-related disruption” affecting the company’s software at several European airports. Heathrow Airport, Dublin Airport, Berlin Airport, and Brussels Airport all reported some level of disruption. These disruptions forced airports to revert to manual processes for managing boarding and check-ins, causing delays and cancellations for passengers. Heathrow Airport confirmed the disruptions on its website on September 22, acknowledging an outage of a Collins Aerospace airline system that impacted check-in processes.

Implications for Australian Airports

The Collins Aerospace hack serves as a reminder of the interconnectedness of global air travel and the importance of cybersecurity for critical infrastructure. Nigel Phair, a professor at Monash University, noted that the incident at Heathrow and other European airports highlighted the importance of third-party systems connecting airlines, airports, and IT integrators. He urged Australian airlines to strengthen their cyber security controls, especially after the recent Qantas data breach. This underscores the need for Australian organizations to implement supply-chain risk monitoring programs to assess and mitigate risks associated with third-party vendors.

Everest Ransomware Group: Background and Tactics

The Everest ransomware group is a Russia-linked operation that emerged in 2020. Initially, it focused on data theft and extortion. Over time, it evolved to incorporate ransomware and encryption into its attacks. As of October 2025, Everest had claimed 267 victims, including several high-profile international companies. The group’s tactics include targeting sensitive data, encrypting systems, and demanding ransom payments for data decryption and non-disclosure. Staying abreast of the latest tactics, techniques, and procedures (TTPs) used by groups like Everest is a critical component of cyber threat intelligence.

Collins Aerospace and RTX Response

RTX, the owner of Collins Aerospace, stated it was aware of the “cyber-related disruption” and was working to resolve the issue. Cyber Daily has reached out to RTX for comment on the hackers’ claims. As of the time of the report, RTX has not publicly confirmed the full extent of the attack or the specific data that was compromised. The incident underscores the importance of proactive breach detection and incident response planning.

The Prosper Data Breach: Another Incident Involving Millions

In related news, peer-to-peer lending marketplace Prosper disclosed a data breach that potentially impacted over 17 million individuals. According to Prosper, hackers accessed its network and exfiltrated confidential, proprietary, and personal information from its systems. The attackers queried Prosper’s database containing customer and applicant data. Prosper stated there was no evidence of unauthorized access to customer accounts and funds. The company is offering free credit monitoring to affected individuals.

F5 Discloses Breach Tied to Nation-State Actor

F5, a company specializing in application security and delivery technology, revealed it was targeted by a “highly sophisticated” cyberattack attributed to a nation-state actor. The company first detected the unauthorized access on August 9 and initiated incident response measures. The U.S. Department of Justice authorized F5 to delay public disclosure of the breach due to ongoing law enforcement considerations. Investigators found that the threat actor had prolonged access to parts of F5’s infrastructure.

New macOS Malware Campaign Targeting Developers

A new malicious campaign is targeting macOS developers through fake Homebrew, LogMeIn, and TradingView platforms. These platforms deliver infostealing malware such as AMOS (Atomic macOS Stealer) and Odyssey. The campaign uses “ClickFix” techniques to trick targets into executing commands in Terminal, leading to malware infection. The malicious sites often appear as Google Ads, which promotes them to appear in Google Search results. Users are instructed to copy a curl command into their Terminal to install the fake apps. It is strongly recommended that users don’t paste in the Terminal commands found online if they don’t fully understand what they do.

Authorities Shut Down Cybercrime-as-a-Service Operation

Law enforcement authorities across Europe dismantled a cybercrime-as-a-service operation, resulting in seven arrests and the seizure of over 40,000 SIM cards. The operation, codenamed ‘SIMCARTEL,’ targeted criminals using fake accounts on social media and communication platforms to mask their identities and commit cybercrimes. The criminal network was linked to over 1,700 cyber fraud cases in Austria and 1,500 in Latvia, with financial losses totaling millions of euros.

Practical Takeaways

  1. Enhanced Supply Chain Security: Organizations should assess the cybersecurity practices of their third-party vendors, particularly those that provide critical services. Implement supply-chain risk monitoring to identify and mitigate potential vulnerabilities.
  2. Incident Response Planning: Develop and regularly update incident response plans to ensure a swift and effective response to cyberattacks. Conduct regular drills and simulations to test the effectiveness of these plans.
  3. Employee Training: Educate employees about social engineering tactics, phishing scams, and other common attack vectors. Encourage employees to report suspicious activity and verify the legitimacy of requests before taking action.
  4. Vulnerability Management: Implement a vulnerability management program to identify and patch known vulnerabilities in a timely manner. Prioritize critical vulnerabilities and apply patches as soon as they are available.
  5. Endpoint Protection: Use endpoint detection and response (EDR) solutions to monitor and protect endpoints from malware and other threats. Regularly update these solutions and configure them to provide real-time threat intelligence.
  6. Network Segmentation: Segment networks to isolate critical systems and limit the potential impact of a cyberattack. Implement access controls to restrict access to sensitive data and systems.

PurpleOps Expertise

PurpleOps offers a suite of services designed to protect organizations from threats like those faced by Collins Aerospace.

  • Cyber Threat Intelligence: PurpleOps provides comprehensive cyber threat intelligence services, including real-time ransomware intelligence and dark web monitoring service, to help organizations stay ahead of emerging threats and understand the tactics, techniques, and procedures (TTPs) of threat actors like Everest. By leveraging underground forum intelligence and telegram threat monitoring, PurpleOps helps organizations proactively identify and mitigate potential risks.
  • Breach Detection: PurpleOps’ PurpleOps Solutions capabilities enable organizations to quickly identify and respond to unauthorized access and data exfiltration attempts. Our solutions continuously monitor network traffic, endpoint activity, and user behavior to detect anomalies and suspicious patterns.
  • Supply Chain Information Security: PurpleOps helps organizations assess and mitigate risks associated with third-party vendors through supply-chain risk monitoring. Our services include vendor risk assessments, security audits, and ongoing monitoring to ensure that vendors meet required security standards.
  • Dark Web Monitoring: Our dark web monitoring service proactively searches for compromised credentials, sensitive data leaks, and other indicators of compromise that may impact your organization.
  • Brand Leak Alerting: Proactively monitor for exposed credentials with our PurpleOps Solutions services.

The Russia-linked hackers claim responsibility for Collins Aerospace hack highlights the need for businesses to take cyber security seriously. The Everest ransomware attack on Collins Aerospace, along with the data breach at Prosper, the nation-state attack on F5, and the macOS malware campaign, illustrates the multifaceted nature of cyber threats and the importance of proactive security measures. By implementing strong security controls, conducting regular risk assessments, and staying informed about emerging threats, organizations can protect themselves from cyberattacks and minimize the potential impact of a breach.

For more information about how PurpleOps can help your organization strengthen its cyber security posture, explore our platform or contact us for a consultation through our PurpleOps Solutions page. Learn about our specialized offerings, such as Red Team Operations, , and Supply Chain Information Security. You may also be interested in our ransomware protection services and dark web monitoring, all underpinned by our cyber threat intelligence.

FAQ

Q: What is ransomware?

A: Ransomware is a type of malware that encrypts a victim’s files, making them inaccessible, and demands a ransom payment to restore access.

Q: What is supply chain risk monitoring?

A: Supply chain risk monitoring involves assessing and mitigating risks associated with third-party vendors and suppliers to ensure they meet required security standards.

Q: What is cyber threat intelligence?

A: Cyber threat intelligence involves gathering, analyzing, and disseminating information about potential cyber threats and threat actors to help organizations proactively defend against attacks.

Q: What should I do if I suspect a data breach?

A: If you suspect a data breach, immediately activate your incident response plan, notify relevant stakeholders, and engage cybersecurity professionals to investigate and contain the breach.

Q: How can PurpleOps help protect my organization?

A: PurpleOps offers a range of cybersecurity services, including cyber threat intelligence, breach detection, supply chain risk monitoring, and dark web monitoring, to help organizations proactively defend against cyber threats.