From Airport chaos to cyber intrigue: Everest Gang takes credit for Collins Aerospace breach

Everest claims Collins Aerospace hack hitting EU airports, but its leak site vanishes soon after, sparking takedown speculation.

Do you remember the Collins Aerospace supply chain attack that disrupted operations at several major European airports, including Heathrow in London, Brussels, and Berlin?

In September, a cyberattack on Collins Aerospace disrupted check-in and boarding systems at major European airports, heavily impacting Heathrow, Brussels, and Berlin. The outage caused numerous flight delays and cancellations, forcing manual operations.

Collins Aerospace is a major American company specializing in aviation and defense technologies, and is a subsidiary of RTX (formerly Raytheon Technologies). The company provides advanced systems for commercial, business, and military aircraft, including avionics, interiors, mission systems, and power controls. Collins also delivers integrated solutions for airports, space exploration, and operational efficiency, supporting both passenger safety and complex mission success. The attack has affected Collins’ Muse software

Now, the Everest ransomware gang has claimed responsibility, boasting about the breach on their leak site, which, intriguingly, went offline almost immediately afterward with a “Fatal error” message. It’s hard not to notice the timing. In the ransomware ecosystem, sudden technical failures like that often suggest something larger happening behind the scenes, perhaps a takedown by law enforcement, perhaps panic, or perhaps an attempt to erase traces after too much attention.

Whatever the reason, this incident is far from trivial.

Collins Aerospace is not just another contractor. Formed in 2018 through the merger of Rockwell Collins and United Technologies’ aerospace division, it has become a cornerstone of modern air and naval defense infrastructure. The company provides advanced avionics, navigation systems, flight control solutions, mission management technologies, and power and control modules that are integral to both civilian and military operations.

Its parent company, RTX (formerly Raytheon Technologies), is one of the most powerful players in the global defense and aerospace sector, integrating capabilities that span missiles, radar, propulsion, sensors, and electronic warfare. Together, RTX and Collins Aerospace form a vital part of the defense supply chain that supports numerous Western military programs.

That’s why this cyber attack feels different. It’s not just about data loss or encrypted servers, it’s about the integrity of systems that underpin critical infrastructure and national security. When an actor like Everest claims a successful intrusion against a company that designs components for aircraft, radar systems, or communication platforms, the stakes become far more serious than financial extortion.

These supply chain attacks show how connected today’s defense and aviation industries are. One weak link can affect every player in the supply chain, from airlines and airports that rely on critical software to military clients that depend on secure systems. If hackers gained access to private or classified data, the damage could go far beyond money, threatening national security and defense readiness.

The Everest group itself is part of a new generation of cybercriminal organizations that operate with a hybrid model. Instead of executing full-scale attacks alone, they often act as brokers, selling stolen access or partnering with affiliates who specialize in different stages of the intrusion chain. Their public leak site going dark so soon after the Collins Aerospace claim adds a layer of mystery. Did the law enforcement hit the cybercrime group? Did the group panic after realizing the sensitivity of its target? Or was it a tactical retreat to avoid escalating international attention?

This incident also reflects how ransomware has evolved from a purely financial crime to a geopolitical weapon. Attacks against critical suppliers no longer just aim to extract payment — they aim to undermine confidence, create disruption, and weaken trust in essential systems. For industries tied to defense or aviation, that erosion of trust can be as damaging as the intrusion itself.

The Collins Aerospace episode highlights the urgency of strengthening cooperation between private industry, law enforcement, and international cyber defense agencies. It also reminds us that traditional cybersecurity strategies focused only on perimeters or firewalls are no longer enough. Modern defense requires visibility across entire supply chains, segmented architectures that limit lateral movement, and continuous intelligence sharing to detect and contain breaches before they spread.

In the end, what we are witnessing with this attack is not just another ransomware case. It is a glimpse into the potential convergence of cybercrime and state-sponsored activity. What begins as a breach in a vendor’s network can quickly cascade into something that challenges national resilience itself.

As investigations continue, one truth stands out: threat actors are learning faster than ever, and every incident like this is a test of how well we can learn in return.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Collins Aerospace breach)

UPDATE: The Everest’s Data Leak Site is up again. Thanks to Ransomnews colleagues who alerted me.