Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Critical Infrastructure Security. Show all posts
Threat Intelligence
Advanced Persistent Threats Critical Infrastructure Security cyber espionage Cyber Security Cybersecurity EU Sanctions State Sponsored Attacks Threat Intelligence

Europe Targets Chinese and Iranian Entities in Response to Cyber Threats


 

Council of the European Union, in response to the escalation of state-linked cyber intrusions, has tightened its defensive posture by imposing targeted sanctions on a cluster of entities and individuals allegedly engaged in sophisticated digital attacks against European interests in a measured yet unmistakably firm manner. 

According to the Council, on behalf of the bloc's member states, this decision represents a broader strategic shift within the European Union, where cyber threats are increasingly treated as instruments of geopolitical pressure capable of compromising critical infrastructure, public trust, and economic stability rather than isolated technical disruptions. 

It was announced earlier this week that sanctions would extend beyond corporate entities and include senior leadership figures, indicating a desire to hold not only organizations, but also their decision-makers accountable for orchestrating or enabling malicious cyber activity. 

China's Integrity Technology Group and Anxun Information Technology Co., a company formerly known as iSoon, were among those names, along with Iranian entity Emennet Pasargad, who are believed to have participated directly in attacks against essential services and government networks. 

The inclusion of executives such as Wu Haibo and Chen Cheng further underscores the EU's evolving approach to cyber operations, one in which the traditional veil of denial is pierced. 

The European Union attempts to reset deterrence in cyberspace by formally assigning responsibility and imposing economic and legal constraints, where attribution is a challenging task, accountability is often elusive, and the consequences of inaction continue to increase with each successive breach by establishing a new standard of deterrence. 

European authorities have also focused attention on Anxun Information Technology Co., commonly referred to as I-Soon. The company appears to be closely connected to Chinese domestic security apparatuses, particularly the Ministry of Public Security. Despite its formal positioning as a commercial company, Huawei has long been associated with cyber operations aligned with Beijing's strategic intelligence objectives, blurring the line between state-directed activity and outsourced service. 

As a result of this dual-purpose posture, Western governments have paid sustained attention to the situation; following sanctions imposed by the United Kingdom in March 2025, the Department of Justice unveiled charges against multiple I-Soon personnel for participating in coordinated intrusion campaigns. 

In confirming these concerns, the European Union has made the claim that I-Soon operated as an offensive cyber services provider, systematically attacking critical infrastructure sectors and governmental systems both within member states and abroad. 

As alleged by investigators, its activities extend beyond unauthorized access to include sensitive data exfiltration and monetization, introducing persistent risks to the diplomatic and security frameworks supporting the Common Foreign and Security Policy as a result of institutionalizing the hacker-for-hire model.

It is also important to note that the Council has designated key corporate figures, including Wu Haibo and Chen Cheng, who are senior managers and legal representatives within the company's structure. This reinforces the EU's intention to attribute accountability at both the individual and organization level. There have also been actions taken against Emennet Pasargad, an Iranian threat actor known by various aliases, such as Cotton Sandstorm, Marnanbridge, and Haywire Kitten and widely considered to be linked with the Cyber-Electronic Command of the Islamic Revolutionary Guard Corps. 

A wide range of disruptive and influence-driven cyber activities have been associated with the group, ranging from interference operations in connection with the 2020 presidential election to intrusion attempts related to the Summer Olympics in 2024. 

In accordance with European assessments, cyberattacks against Sweden's digital infrastructure, including the compromise of the national SMS distribution service, were also attributed to the group, indicating a pattern of operations intended not only to infiltrate systems but also to undermine public trust and operational resilience.

Furthermore, additional technical assessments further demonstrate the extent and persistence of Emennet Pasargad's activities. As indicated by Microsoft's analysis previously, the group-tracked as "Neptunium"-is suspected of compromising the personal information of over 200,000 Charlie Hebdo subscribers. 

According to many observers, the intrusion was a retaliatory act in response to the publication's controversial content targeting Ali Khamenei, illustrating the trend of politically motivated cyber operations being increasingly integrated with information exposure and intimidation methods.

The Council of the European Union identifies the group as conducting hybrid operations, including the unauthorized control of digital advertising billboards during the 2024 Summer Olympics for propaganda purposes, as well as a compromise of a Swedish SMS distribution service.

Interestingly, the latter incident is consistent with an earlier documented campaign that utilized mass messaging to incite retaliatory sentiments within the Swedish community, a tactic that has later been referenced by the Federal Bureau of Investigation in its threat advisories. 

Additionally, the Council's documentation illustrates earlier interference activities targeting the 2020 United States presidential elections, during which stolen voter data was used to deliver coercive communications using false political identities, demonstrating a deliberate campaign to undermine the trust of voters. 

Indictments have been issued in the United States against individuals such as Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian as a result of enforcement actions. Financial sanctions have been imposed by the Treasury Department in an attempt to disrupt the group's operations funding. In spite of these measures, the actor has remained active, and subsequent attribution has linked it to ransomware campaigns believed to be affiliated with the Islamic Revolutionary Guard Corps.

There are parallel findings regarding Integrity Technology Group that reinforce the transnational nature of these threats. Investigators discovered that the company's infrastructure and tooling were used by the Flax Typhoon threat group as a means of gaining access to tens of thousands of devices throughout the European continent, as well as facilitating espionage-focused activities targeting Taiwanese entities. 

In addition, coordinated sanctions between the United Kingdom and the United States indicate a growing alignment of international responses targeted at reducing the ability of state-linked cyber activities to sustain their operations.

In combination, these coordinated efforts indicate a maturing enforcement posture in which cyber operations are not viewed merely as technical incidents but rather as matters of strategic significance that require sustained, multilateral responses. 

As part of the ongoing process of improving the European Union's cyber sanctions framework, the EU will emphasize attribution, intelligence sharing, and alignment with international partners in order to ensure that punitive measures are effectively translated into tangible operational disruptions.

It becomes increasingly important for organizations operating both within and outside of Europe to strengthen their resilience against advanced persistent threats, in particular those that utilize supply chain access, managed service providers, and covert infrastructure. 

It has been noted that the convergence of espionage, cybercrime, and influence operations calls for a more integrated defense model that includes technical controls, threat intelligence, and regulatory compliance. 

Having said that, the effectiveness of sanctions will ultimately depend on the consistency with which they are enforced, on the timely attribution of the perpetrators and on the ability of both public and private sectors to anticipate and mitigate the evolving threat environment.
Read more »
Ransomware
Critical Infrastructure Security cyber espionage Cyber Warfare Geopolitical Cyber Attacks Hacktivism Campaigns Middle East Cyber Threats Ransomware

Rising Cyber Threats Linked to Ongoing Middle East Conflict


A geopolitical crisis has historically been fought on physical battlefields, but its effects are seldom confined to borders in the modern threat landscape. While tensions are swirling across the Middle East as a result of the United States' military operations in Iran and Tehran's retaliatory actions, a parallel surge of activity is being witnessed in the digital world. 


There is increasing concern among security analysts as well as government cyber agencies about how geopolitical instability provides fertile ground for cybercriminals and state-aligned actors. In order to manipulate public curiosity, exploit fear, and conceal malicious campaigns, attackers have utilized this rapidly evolving situation as a convenient narrative.

As soon as the escalation began, researchers began tracking a growing ecosystem of cyber infrastructure based on conflict that lures unsuspecting users into fraudulent websites, phishing scams, and malware downloads. 

In many cases, what appears to be breaking news or urgent updates about a crisis hides carefully designed traps meant to infiltrate corporations, collect credentials, or spread malicious software designed to steal data. 

Due to this, the conflict's digital shadow has expanded beyond the immediate region, raising concerns among cybersecurity professionals that opportunistic attacks may become increasingly targeted against individuals and organizations worldwide. 

The intensification of hostilities in late February 2026, when the United States and Israel are said to have conducted coordinated airstrikes against multiple Iranian facilities, has further compounded the escalation of cyber threats. 

Security analysts have identified a pattern where cyber activity closely follows developments on the ground following the strikes and retaliatory actions which have reverberated across several Middle Eastern nations following the strikes. 

According to researchers, digital operations played a supporting role long before the first missiles were deployed. Iran's command-and-control infrastructure was disrupted by coordinated electronic warfare tactics and large-scale distributed denial-of-service campaigns. This temporarily impeded national internet access and could potentially complicate real-time military coordination by reducing national internet connectivity to a fraction of its usual capacity. 

It is clear from such incidents that cyber capabilities are becoming increasingly integrated into broader strategic operations, influencing the circumstances under which conventional military engagements occur. However, analysts note that the cyber dimension of the conflict cannot be limited to state-directed operations alone. 

As a result, it is widely expected that Iranian digital response will follow an asymmetric model, with loosely aligned or ideologically sympathetic groups operating outside its borders typically executing these actions. They vary considerably in capability, but their activities often involve defacing websites, leaking data, and launching disruptive attacks intended to generate publicity in addition to operational damage. 

A team tracking online channels associated with hacktivist communities has observed hundreds of claims of cyberattack within days of the escalation, many of which were shared via propaganda platforms and messaging platforms aligned with geopolitical agendas. 

In spite of the fact that not all claims reflect a verified breach, the rapid dissemination of such announcements can create confusion, inflate perceived impact, and press targeted organizations into responding before technical verification is possible. It is becoming increasingly clear that the target list is expanding beyond political disruption. 

Monitoring of cybersecurity indicates that activities related to the conflict extend beyond Israel to Gulf States, Jordan, Cyprus, and American organizations based abroad. As a result of financial motivation, ransomware operators and threat groups have attempted to frame attacks against Israeli and Western-related entities as political alignments rather than criminal attacks.

A gradual blurring of the distinction between state-aligned disruption and extortion involving financial gain is being caused by the blending of ideological messaging and traditional cybercrime tactics. Moreover, security teams have warned that opportunistic actors are leveraging geopolitical tensions as a narrative hook for phishing and fraud operations. 

It has been observed increasingly that travel-related scams are targeting individuals stranded or traveling within the region, and credential harvesting campaigns are targeting diplomats, journalists, humanitarian organizations and defense contractors. There has been an increase in interest in industrial and operational technology environments in recent years, which has created an alarm. 

It is important to note that early cyber activity linked to the conflict was primarily defacements and distributed denial-of-service attacks against public websites. In recent reports, threat intelligence reports have indicated an attempt to probe systems linked to industrial control components such as programmable logic controllers and other industrial control components. 

Consequently, if substantiated, this shift would represent a substantial escalation of both technical ambition and potential impact for energy facilities, utilities, and other critical infrastructure operators throughout the Middle East and Gulf region, should reevaluate their operational network resilience, particularly those that connect information technology with industrial control systems. 

Together, these developments suggest a broad range of potential cyber activity, including high-volume DDoS campaigns that target government portals as well as targeted spear-phishing activities that seek credentials from diplomats, media organizations, and defense contractors. 

A number of analysts have warned that ransomware incidents can be politicized, hack-and-leak operations will target military-linked entities, and destructive malware may be used to disable government systems. 

The influence campaigns and fabricated breach claims being circulated through social media platforms are expected to play a parallel role in shaping public perception as well as these technical threats. As a result of the possibility of both verified attacks and exaggerated narratives producing real-world consequences, enhancing situational awareness and improving defensive monitoring is becoming an integral aspect of risk management in organizations. 

It is also evident from the broader regional context why geopolitical escalation often results in heightened cyber security risks in the Middle East. Over the past decade, countries across the region have taken steps to transform public services, financial systems, telecommunications infrastructure, and energy operations through large-scale digital transformation initiatives. 

Particularly, Gulf Cooperation Council members have led these efforts. In addition to strengthening economic diversification and technological capacity, these efforts have increased the digital attack surface available to threat actors at the same time.

Monitoring of cybercrime activities in the Gulf has indicated an increasing number of traditional cybercrime activities targeting both private and state institutions. In recent years, financial fraud campaigns, ransomware attacks, and political-motivated web defacements have disrupted a wide range of industries, including banking, telecommunications, and more. 

There have been several high-profile incidents in recent years that involved financial institution and mobile banking platform breaches, while ransomware groups have increasingly targeted large regional service providers as targets. These campaigns have grown in frequency as well as sophistication, reflecting the region's interconnected digital infrastructure’s increasing strategic value. 

In addition, the threat environment is not limited to conventional cybercrime. Researchers continue to report advanced persistent threat groups conducting cyberespionage operations against governmental agencies, defense organizations, and energy infrastructure throughout the region, in addition to conventional cybercrime. 

There is a widespread belief that many of these campaigns are associated with states and geopolitical rivalries, with a particular focus being placed on individuals associated with Iran following earlier cyber incidents against its nuclear facilities. 

Several activities attributed to this group have included deployment of destructive malware, covert surveillance campaigns, and data destruction attacks, all aimed at disrupting critical infrastructure without providing any indication as to whether the underlying motive is political disruption or financial gain. 

Consequently, attribution efforts have been complicated by the convergence of these motives, resulting in the increasing overlap between cyber espionage, sabotage, and criminal activity. Cybersecurity dynamics are also influenced by the political and social significance of the digital space within the region.

Digital platforms, data flows, and communication infrastructure are frequently regulated by Middle Eastern governments as a matter of national stability and regime security. Consequently, social media platforms and messaging platforms have evolved into contested environments where state institutions, activists, extremist organizations, and influence networks compete to shape narratives in contested environments. 

In times of conflict or political instability, this competition can take the form of distributed denial-of-service attacks, coordinated disinformation campaigns, doxxing operations, and claims of data breaches aimed at putting pressure on political opponents or influencing public opinion. 

With the increasing use of artificial intelligence tools for creating synthetic media, automating propaganda, or manipulating information flow, it has become increasingly difficult for organizations to maintain reliable situational awareness during emergencies. In addition to the integration of artificial intelligence and autonomous technologies into military and security operations across the region, there is an emerging dimension. 

New cybersecurity vulnerabilities are inevitable as governments and non-state actors experiment with artificial intelligence-enabled surveillance, targeting, and operational coordination systems. It is important to be aware that when systems depend on complex supply chains of software or foreign technological expertise, cyber intrusions, manipulation, and espionage can be a potential entry point. 

According to security specialists, interference with these technologies could have consequences beyond the theft of data, impacting battlefield decision-making, operational reliability, or strategic control over sensitive defense capabilities, among other things. 

Institutions are not the only ones to face such risks. Technology-facilitated abuse has become increasingly problematic for vulnerable communities as it intersects with personal safety concerns and digital rights. 

A number of places in the region have experienced an increase in the spread of manipulated images and deepfake content as a result of technology-facilitated abuse, including impersonation schemes and sextortion. Many victims experience significant social stigma or legal barriers when seeking assistance, which can discourage them from reporting and allow perpetrators to operate with relative impunity. 

In combination, these trends illustrate that cybersecurity is not limited to protecting networks or infrastructure in the Middle East. A complex intersection of national security, information control, technological competition, and social vulnerability has resulted in a situation where the region is particularly vulnerable to cyber activity arising from geopolitical tensions.
Read more »
State Sponsored Hacking
Critical Infrastructure Security DynoWiper ESET Research malware Polish Energy Sector Power Grid Cybersecurity Russia Linked Cyberattack Sandworm State Sponsored Hacking

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure


 

A cyber intrusion targeting the nation's energy infrastructure occurred in late 2025, which security experts have described as one of the largest cyberattacks the nation has faced in many years. It underscores the growing vulnerability of critical national systems in light of increasing geopolitical tensions, which are at odds with one another. 

ESET, a cybersecurity company specializing in cyber security, has uncovered new data indicating that the operation was carried out by Sandworm, an advanced persistent threat group closely aligned with Russia that has been associated with disrupting energy and industrial networks for decades. 

ESET researchers found that a deeper analysis of the malware used during the incident revealed operational patterns and code similarities that are consistent with Sandworm's past campaigns, indicating that the attack follows Sandworm's established playbook for damaging cyber activity. 

According to the assailants, they were planning to use a malware strain named DynoWiper that was designed to permanently destroy files and cripple affected systems by irreversibly destroying them, a strategy which could have caused widespread disruptions across the Poland electricity industry if it had been successful. 

At the time of publication, the Russian Embassy in Washington did not respond to requests for comment. According to cyber experts, Sandworm, which is also known as UAC-0113, APT44, or Seashell Blizzard in the cybersecurity community, has been active for more than a decade and is widely regarded as an act of state-sponsored hacking, most likely aimed at Russian military intelligence agencies. 

The group's ties to Unit 74455 of the Main Intelligence Directorate (GRU) have been established by security researchers after repeated accusations that the organization has committed high-impact cyber-operations intended to disrupt and degrade critical infrastructure systems. 

Throughout its history, Sandworm has been credited with some of the most significant cyber incidents against energy networks, most notably a devastating attack on the Ukraine's power grid nearly a decade ago, which used data-wiping malware and left around 230,000 people without power for a period of nearly 10 days.

It is important to note that this episode still remains a prototypical example of the group's capabilities and intentions, and it continues to shape the assessment of the group's role in more recent attempts to undermine energy systems beyond Ukraine's borders. 

As detailed in a recent report issued by ESET, they believed that the operation bore the hallmarks of Sandworm, a threat actor widely linked to Russia's military and intelligence apparatus, evidenced by its involvement in the operation. 

A data wiping malware, DynoWiper, dubbed DynoWiper, was identified by investigators and tracked as Win32/KillFiles.NMO, which had previously been undocumented, pointing the finger at the group. The wiper campaign was similar in both technical and operational aspects to earlier Sandworm wiper campaigns, especially those that were observed following Russian invasion of Ukraine in February of that year. 

In a statement published by ESET on December 29, 2025, the company stated that the malware had been detected during an attempt to disrupt Poland's energy sector, but that there are no indications that the attackers succeeded in causing outages or permanently damage the energy sector. 

In an email sent on December 29, the Polish authorities confirmed that there was activity observed in the area of two combined heat and power plants and a system used to manage the generation of electricity from renewable sources, such as the power of wind and sun. 

In a public statement, the Prime Minister said that the attacks were directed by groups “directly linked to Russian services,” citing the government's plans to strengthen national defenses through additional safeguards and cybersecurity legislation that will require more stringent requirements on risk management, information technology and operational technology security, and preparedness for incidents. Tusk said this legislation is expected to be implemented very soon. 

Moreover, the timing of the incident attracted the attention of analysts as it coincided with the tenth anniversary of Sandworm's historic attack on Ukraine's power grid in 2015. BlackEnergy and KillDisk malware were deployed during the attack, and the attack caused hours-long blackouts for thousands of people, something that was cited as a continuation of a pattern of disruption campaigns against critical infrastructure that has been occurring for years. 

A company named ESET stated that the attempted intrusion coincided with Sandworm's tenth anniversary of the devastating attack on Ukraine's power grid in the year 2000, though it only provided limited technical information beyond the identification of the malware involved. 

Researchers are pointing out that the use of a custom-built wiper, as well as the pattern of Russian cyber operations in which data-destroying malware has been a strategic tool, aligns with a broader pattern observed in cyber operations. The use of wipers in attacks linked to Moscow has increased significantly since 2022. 

The use of AcidRain to disable roughly 270,000 satellite modems in Ukraine has been an effort to disrupt the communication of the country. A number of campaigns targeting universities, critical infrastructure, and the like have been attributed to Sandworm. This is also true in the case of the NotPetya outbreak in 2017, a destructive worm that in its early stage was targeted at Ukrainian targets, but quickly spread worldwide, causing an estimated $10 billion in damage and securing its place as one of the highest-profile case studies in the history of cybercrime. 

There are no indications yet as to why DynoWiper had failed to trigger power outages in Poland; the investigation has left open the possibility that the operation may have been strategically calibrated to avoid escalation or that strong defenses within the country’s energy grid prevented it. 

In the aftermath of the incident, governments and operators of critical infrastructure across Europe have been reminded once again that energy systems continue to be an attractive target among state-sanctioned cyber operations even when those attacks do not result in immediate disruptions. 

It is noted that security analysts have noted the attempt to deploy DynoWiper in a strategic capacity reflects a continued reliance on destructive malware as a strategy tool, and emphasize the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both the information technology as well as operational technologies. 

Although it appears that Polish officials are using the episode as a springboard in order to strengthen their defenses, experts point out that similar threats may not be bound by borders in the near future since geopolitical tensions are unlikely to ease at all. 

Despite the fact that the failure of the attack may offer some reassurance for the time being, it also emphasizes a more significant reality: adversaries continue to search energy networks for weaknesses, and it will be crucial to be prepared and cooperative if we wish to avoid future disruptions, as well as to be able to detect and neutralize malware before it becomes a major problem.
Read more »
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
Supply chain vulnerability
Airport Cyberattack Aviation Cyber Threats Collins Aerospace Hack Critical Infrastructure Security Cybersecurity Breach Data Extortion Digital Resilience Ransomware attack Supply chain vulnerability

Collins Aerospace Deals with Mounting Aftermath of Hack


One of the most disruptive cyber incidents to have hit Europe's aviation sector in recent years was a crippling ransomware attack that occurred on September 19, 2025, causing widespread chaos throughout the continent's airports.  

The disruption was not caused by adverse weather, labour unrest or mechanical failure but by a digital breakdown at the heart of the industry's technological core. The Collins Aerospace MUSE platform, which is used for passenger check-ins and baggage operations at major airport hubs including Heathrow, Brussels, Berlin, and Dublin, unexpectedly went down, leading airports to revert to paper-based, manual procedures. 

There was confusion in the terminals and gate agents resorted to handwritten manifests and improvised coordination methods to handle the surge, while thousands of passengers stranded in transit faced flight cancellations and delays. While flight safety systems remained unaffected, and a suspect (a British national) was apprehended within a few days of the attack, it also exposed an increasingly frightening vulnerability in aviation's growing reliance on interconnected digital infrastructure. 

This ripple effect revealed how one breach of security could cause shockwaves throughout the entire ecosystem of insurers, logistics companies, and national transport networks that are all intertwined with the digital backbone of air travel itself, far beyond an aviation issue. 

In the aftermath of the Collins Aerospace cyberattack, the crisis became worse when on Sunday, a group linked to Russian intelligence and known as the Everest Group claimed to have accessed sensitive passenger information allegedly stolen by Dublin Airport and claimed to have been possessed by the group. This group, which operates on the dark web, announced that they had acquired 1.5 million passenger records and threatened to release the data unless a ransom was paid by Saturday evening before releasing the data. 

It has been reported that Everest, which had earlier claimed credit for breaching systems connected to Collins Aerospace's MUSE software on October 17, believes that the security breach occurred between September 10 and 11, using credentials obtained from an insecure FTP server in order to infiltrate the company's infrastructure. 

On September 19, Collins Aerospace shut down affected servers that blocked cybercriminals from accessing these servers, according to the cybercriminals who claimed their access to those servers was later stopped. This move occurred simultaneously with a wide array of operational outages in major European airports including Heathrow, Berlin Brandenburg, Brussels, and Dublin. 

A spokesperson for the Dublin Airport Authority (DAA) confirmed that a probe has been initiated in response to the mounting concerns regarding the incident, as well as in coordination with regulators and impacted airlines. It should be pointed out that as of yet no evidence has been found of a direct hacking attack on DAA's internal systems, indicating that the dataset exposed primarily consists of details regarding passenger boarding for flights departing Dublin Airport during the month of August.

While this happened, ENISA, the European Union Agency for Cybersecurity, categorised the Collins Aerospace hack as a ransomware attack, which underlined the escalation of sophistication and reach of cybercriminals targeting critical aviation infrastructure across the globe. There have been signs of gradual recovery as European airports have struggled to regain operational stability since the Collins Aerospace cyber incident. 

Although challenges persisted throughout the days of the cyberattack, signs of gradual recovery did emerge. While flight schedules at London's Heathrow airport and Berlin Brandenburg airport had begun to stabilize on Sunday, Brussels Airport continued to experience significant disruptions. A statement issued by Brussels Airport on Monday stated that it had requested airlines cancel about half of the 276 departures scheduled for Monday due to the non-availability of Collins Aerospace's new secure check-in software, which had not been available for the previous few days.

As manual check-in procedures remained in place, the airport warned that cancellations and delays were likely to continue until full digital functionality had been restored. In spite of the ongoing disruptions, airport authorities reported that roughly 85% of weekend flights operated, which was made possible by ensuring additional staffing from airline partners and ensuring that the online check-in and self-service baggage system were still operational, according to Airport Authority reports. 

The airport’s spokesperson Ihsane Chioua Lekhli explained that the cyberattack impacted only the computer systems being used at the counters staffed by employees, and that in order to minimize the inconvenience to passengers, backup processes and even laptops have been used as workarounds.

It is important to note that RTX Corporation, the parent company of Collins Aerospace, refused to comment on this matter in a previous statement issued on Saturday, when RTX Corporation acknowledged the disruption and said it was working to fully restore its services as soon as possible. According to the company, the impact will only be felt by electronic check-in and baggage drop and can be minimized by manual operations. 

During the weekend, Heathrow and Brandenburg airports both encouraged passengers to check their flight statuses before arriving at the airport, as well as to take advantage of online or self-service options to cut down on traffic. In its latest communication, Heathrow Airport stated that it was working with airlines "to recover from Friday's outage," stressing that despite the delays, a majority of scheduled flights were able to run throughout the weekend despite the delay. 

There has been a broader discussion around the fragility of digital supply chains and the increasing risk that comes with vendor dependency as a result of the Collins Aerospace incident. Increasingly, ransomware and data extortion groups are exploiting third-party vulnerabilities in order to increase the likelihood of a systemic outage, rather than an isolated cyber event. 

An analysis by industry analysts indicates that the true differentiator between organizations that are prepared, visible, and quick to respond during such crises lies in their ability to deal with them quickly, and in the ability to anticipate problems before they arise. According to Resilience's cybersecurity portfolio, only 42% of ransomware attacks in 2025 were followed by incurred claims, a significant decrease from 60% in 2024.

According to experts, this progress is largely due to the adoption of robust backup protocols, periodic testing, and well-defined business continuity frameworks, which are the foundation of this improvement. However, broader industry figures paint a more worrying picture. Approximately 46% of organizations that have been affected by ransomware opted to pay ransoms to retrieve data, according to Sophos' State of Ransomware report, while in the Resilience dataset, the number of affected organizations paid ransoms fell from 22% in 2024 to just 14% in 2025.

This contrast illustrates the fact that companies that have tested recovery capabilities are less likely to succumb to extortion demands because they have viable options for recovering their data. A new approach to cybersecurity has emerged – one that is based on early detection, real-time threat intelligence, and preemptive mitigation. Eye Security uncovered a critical vulnerability in Microsoft SharePoint in July 2025 and issued targeted alerts in response to the vulnerability. This proactive approach enabled Eye Security to scan its client ecosystem, alert its clients, and contain active exploitation attempts before significant damage could occur. 

According to experts, Collins Aerospace's breach serves as a lesson for what happens when critical vendors fail in a network that is interconnected. A recent outage that crippled airports across Europe was more than just an aviation crisis; it was an alarming reminder of the concentration risk that cloud-based and shared operating technologies carry across industries as well. 

Organizations are increasingly reliant on specialized vendors to manage essential systems in order to ensure their success, so the question isn't if a major outage will occur again, but whether businesses have the resilience infrastructure to stay operational if it happens again. It is clear from the Collins Aerospace incident that cybersecurity is no longer a separate IT concern, but rather a core component of operational continuity. 

It stands as a defining moment for digital resilience in the evolving narrative. The emphasis in navigating this era of global infrastructure disruption must shift to building layered defense ecosystems, combining predictive intelligence, rigorous vendor vetting, and a real-time crisis response framework, as businesses navigate through the challenges of a single vendor outage disrupting global infrastructure. 

In the end, the lesson is clear: resilience is not built when disruption happens but in anticipation of it, ensuring that when the next digital storm hits, we are prepared, not panicked.
Read more »
Subscribe to: Comments (Atom)