NCA confirms arrest after airport cyber disruption
Disruption is easing across Europe following the ransomware incident
The UK’s National Crime Agency (NCA) has made an arrest over last week's cyber attack on several airports.
The agency said a man in his forties was arrested in West Sussex on suspicion of Computer Misuse Act offences, and released on conditional bail.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” said Paul Foster, NCA deputy director and head of the NCA’s National Cyber Crime Unit.
The cyber attack on software supplier Collins Aerospace led to major disruption for airlines flying out of London Heathrow, Brussels, and Berlin, with carriers forced to check passengers in manually.
The attack targeted Collins' ARINC cMUSE software, which allows airlines to share check-in desks and boarding gate positions rather than using their own dedicated infrastructure.
It's been confirmed that the incident was a ransomware attack, but so far little more is known. However, cybersecurity expert Kevin Beaumont said he had identified the ransomware used.
"The Europe airlines ransomware situation is a variant of Hardbit ransomware, which doesn’t have a portal and is incredibly basic," he wrote on Mastodon.
"They’ve had to restart recovery again as the devices keep getting reinfected. I’ve never seen an incident like it. Somebody like the NCSC needs to go in and help them with IR."
There's been a lot of speculation that the attack could have been carried out by a nation-state-affiliated group, with Russia having been tipped as the most likely suspect. That may now be in doubt, said Ryan McConechy, CTO at Barrier Networks.
"While details are still emerging, the NCA has confirmed that the suspect was arrested in the UK, which will likely come as a surprise to many," he said.
"While more information is likely to surface soon, the incident once again highlights that no organization is immune to cyber crime today. Whether attackers hit an organisation directly, or impact a large pool of organizations through a supply chain, cyber crime affects all businesses."
RTX, the parent company of Collins Aerospace, has confirmed in a filing with the US Securities and Exchange Commission (SEC) that the incident was a ransomware attack.
"The Company is diligently investigating the incident with the assistance of internal and external cybersecurity experts and has notified domestic and international law enforcement authorities and certain other government agencies," it said.
"The Company is also communicating with its customers and other stakeholders and providing technical support and guidance to affected airlines and airports."
RTX said it is investigating the incident with the help of internal and external cybersecurity experts, and that it's notified domestic and international law enforcement authorities and other government agencies.
Most flights are now operating normally, although some check-in desks are still processing passengers manually.
“Cyber crime is a persistent global threat that continues to cause significant disruption to the UK," said Foster. "Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Cyber attacks are costing UK firms billions every year
- The top ransomware trends for businesses in 2025
- Financial impact of cyber attacks on UK retailers laid bare
-
I couldn’t escape the iPhone 17 Pro this year – and it’s about time we redefined business phonesOpinion ITPro is back on smartphone reviews, as they grow more and more intertwined with our work-life balance
-
When everything connects, everything’s at riskIndustry Insights Growing IoT complexity demands dynamic, automated security for visibility, compliance, and resilience
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
