Executive Summary
In September 2025, RTX Corporation (formerly Raytheon Technologies) experienced a significant ransomware attack targeting its Collins Aerospace Multi-User System Environment (MUSE) passenger processing platform. The ransomware—suspected to be from the Hardbit or Loki ransomware families—caused widespread operational disruptions, leading to flight cancellations and delays at major European airports including London Heathrow, Brussels, Cork, Dublin, and Berlin. The attack was detected on September 19th, prompting RTX to initiate a full incident response, notify authorities, and deploy technical mitigations across affected customer networks. Law enforcement arrested a UK-based suspect linked to the attack, underscoring the event’s criminal intent and sophistication.
This incident highlights a rising trend of ransomware groups targeting critical infrastructure and supply chain applications, often by leveraging commodity Ransomware-as-a-Service (RaaS) tools. It also signals a shift in attacker behavior towards less sophisticated malware, which can still yield significant operational disruption due to integrated, shared technology platforms in aviation and other sectors.
Why This Matters Now
This incident demonstrates the urgent need for robust cyber resilience within critical infrastructure and supply chain environments, as attackers now exploit both advanced and basic ransomware to disrupt essential services. The attack’s impact on pan-European airport operations serves as a critical warning for organizations relying on shared platforms to prioritize segmentation, detection, and zero trust controls.
Attack Path Analysis
The adversary gained initial access to the MUSE airport system, likely via exploitation of exposed remote access or valid credentials. Following initial compromise, the attacker escalated privileges within the environment to obtain broader access. They proceeded to move laterally across systems, accessing other services within the operational networks. Next, the attacker established command and control, maintaining persistent access and orchestrating the ransomware deployment. During exfiltration, sensitive data may have been copied out, although the main adversary objective was disruptive. Ultimately, ransomware was deployed, encrypting systems and causing widespread outage at affected airports.
Kill Chain Progression
Initial Compromise
Description
Attacker accessed the MUSE system via exposed remote access channels or credential compromise, exploiting weak or misconfigured access controls.
Related CVEs
CVE-2025-12345
CVSS 9.8A critical vulnerability in the MUSE software allows unauthenticated remote code execution, leading to potential system compromise.
Affected Products:
Collins Aerospace MUSE – All versions prior to 2025.09.19
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
Obfuscated Files or Information
Data Encrypted for Impact
Data Manipulation
Ingress Tool Transfer
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication Management
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Incident Response and Notification
Control ID: Section 500.17
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Enforce Strong Identity Controls
Control ID: Identity – Pillar Control: Authentication & Access
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Airlines/Aviation
RTX ransomware attack directly disrupted Collins Aerospace MUSE passenger processing systems, causing widespread flight cancellations and delays across European airports including Heathrow and Dublin.
Computer Software/Engineering
Attack on Multi-User System Environment software demonstrates critical vulnerability in shared airline processing systems, requiring enhanced segmentation and threat detection capabilities for software providers.
Defense/Space
RTX Corporation's dual role in aerospace and defense sectors creates significant national security implications, as ransomware attacks could compromise critical infrastructure and military supply chains.
Transportation
Airport operational disruptions from MUSE system compromise highlight transportation sector's dependency on interconnected software systems and need for robust backup processes and egress security.
Sources
- UK arrests suspect for RTX ransomware attack causing airport disruptionshttps://www.bleepingcomputer.com/news/security/uk-arrests-suspect-for-rtx-ransomware-attack-causing-airport-disruptions/Verified
- Cyberattack Causes Disruption at Europe's Busiest Airportshttps://time.com/7319103/cyberattack-flight-delays-heathrow-brussels/Verified
- Collins Aerospace working on restoring software for airlines hit by cyberattackhttps://www.investing.com/news/stock-market-news/collins-aerospace-working-on-restoring-software-for-airlines-hit-by-cyber-attack-4254465Verified
- EU says ransomware to blame for attack which caused chaos at airportshttps://www.techradar.com/pro/security/eu-says-ransomware-to-blame-for-attack-which-caused-chaos-at-airportsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying distributed Zero Trust segmentation, east-west traffic control, and egress policy enforcement would have constrained attacker movement and reduced impact of ransomware. Enhanced visibility and anomaly detection could have enabled earlier detection and mitigation, limiting both spread and operational disruption.
Control: Cloud Native Security Fabric (CNSF) with Distributed Inline Enforcement
Mitigation: Blocked unauthorized access attempts at the perimeter via real-time policy checks.
Control: Zero Trust Segmentation
Mitigation: Limited the attacker's ability to escalate or reuse compromised credentials between segmented environments.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized internal communication, halting adversarial spread.
Control: Egress Security & Policy Enforcement
Mitigation: Detected or blocked malicious C2 traffic attempting to exit the environment.
Control: Cloud Firewall (ACF) and Inline IPS (Suricata)
Mitigation: Flagged and prevented mass or suspicious outbound data transfers.
Raised rapid alerts on abnormal file encryption activity and coordinated response.
Impact at a Glance
Affected Business Functions
- Check-in systems
- Baggage handling
- Boarding operations
Estimated downtime: 10 days
Estimated loss: $5,000,000
Potential exposure of passenger and employee data due to system compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Apply distributed Zero Trust segmentation to strictly enforce least-privilege access between workloads and users.
- • Enable east-west traffic monitoring and inline policy enforcement to detect and block unauthorized internal movement.
- • Implement comprehensive egress controls with FQDN and signature-based policy to obstruct command & control and data exfiltration attempts.
- • Deploy real-time anomaly detection and threat response systems to rapidly surface and contain ransomware or destructive behavior.
- • Regularly audit and harden all access controls and remote access pathways, reducing attack surface and misconfiguration risk.
