Major European airports experienced widespread check-in and boarding disruptions tied to a ransomware incident affecting Collins Aerospace’s MUSE passenger processing platform, which RTX later confirmed in an SEC Form 8-K. Media and community reports have speculated about HardBit, BlackBit, and LokiLocker, but no ransomware family or definitive threat actor has been officially confirmed. #MUSE #RTX #HardBit
Keypoints
- Major airports including Heathrow, Brussels, Berlin, and Dublin reported outages in check-in, boarding, and kiosk systems linked to Collins Aerospace’s MUSE platform.
- RTX Corporation filed an SEC Form 8-K confirming a ransomware incident affecting MUSE on September 19, 2025, noting the systems operate on customer-specific networks outside RTX’s enterprise network.
- Media and researchers have suggested HardBit as a potential variant, while BlackBit and LokiLocker have been mentioned speculatively; no family has been officially attributed.
- One suspect was arrested in the UK and later released on conditional bail; investigations by law enforcement and cybersecurity teams remain active.
- The incident highlights supply-chain risk: shared platforms like cMUSE create single points of failure that can cascade across airlines and airports.
- Regulatory disclosure differences explain varying public information—RTX’s SEC obligations forced public disclosure, while EU/UK incident reporting rules do not necessarily require public statements.
- Key unanswered questions include the intrusion vector, scope of affected customers, whether data was exfiltrated or ransom demanded, and definitive attribution of the actor.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Ransomware impacted MUSE passenger systems causing outages and forcing customers to use manual or backup processes: “a product cybersecurity incident involving ransomware on systems that support its Multi-User System Environment (‘MUSE’) passenger processing software.”
- [T1190] Exploit Public-Facing Application – Possible compromise of vendor-hosted cMUSE or customer-specific deployments is suggested as an unknown intrusion vector that allowed ransomware to affect multiple airports: “The intrusion vector is unknown, including whether attackers compromised Collins Aerospace directly or gained access through a third-party supply chain.”
- [T1041] Exfiltration Over C2 Channel – Media discussion of modern ransomware evolution and double/triple extortion implies potential data theft/exfiltration risk though it remains unconfirmed: “It is not yet known whether data was exfiltrated, ransom demands were issued…”
- [T1195] Supply Chain Compromise – Attack impacted a shared vendor platform (MUSE), creating a single point of failure across multiple airlines and airports: “A shared platform creates a single point of failure… If MUSE is disrupted, the impact does not remain limited to one airline.”
- [T1078] Valid Accounts – References to threat actors like Scattered Spider targeting outsourced IT and identity systems imply use of compromised credentials or identity abuse techniques, though not tied to this incident: “Scattered Spider expanded its operations into the aviation sector, targeting outsourced IT providers and identity systems used by airlines and airport services.”
Indicators of Compromise
- [Vendor/Product] affected system – Collins Aerospace MUSE (vMUSE/cMUSE) – referenced as the compromised passenger processing platform.
- [Regulatory Filing] confirmation – RTX SEC Form 8-K acknowledging a ransomware incident affecting MUSE.
- [Ransomware Family Candidates] speculative names mentioned in reporting – HardBit (suggested by some reports), BlackBit (reported as RaaS), LokiLocker (speculative/mislabel).
- [Affected Organizations] impacted airports/systems – Heathrow, Brussels, Berlin (BER), Dublin reported disruptions; Heathrow renewed cMUSE contract supporting 80+ airlines.
- [Investigative Action] law enforcement activity – UK arrest in West Sussex related to the incident (suspect later released on conditional bail).