Rebecca Accettola
Stefano Gazziano
CS/MGT 337-1
9th February 2026
Collins Aerospace Ransomware Attack on September 2025
QUESTION 1
a) Entry point analysis
The most probable method for the attackers to gain access to the systems of Collins Aerospace
would be the exploitation of the legitimate user credentials, most probably via phishing attacks.
This is entirely consistent with widely known ransomware attack patterns carried out against big
companies, especially with infrastructure providers. As indicated in the Verizon Data Breach
Investigations Report 2024, mentioned in my sources, most ransomware attacks utilizing stolen
legitimate user credentials begin with phishing attacks. Phishing emails are particularly successful
since they take advantage of human trust as opposed to exploiting technical flaws. In a complex
organization such as Collins Aerospace, it is entirely feasible that at least one legitimate user
credential was compromised without anyone realizing it. This hypothesis is further reinforced by
statements regarding the timing of the incident. This particular group of attackers accessed the site
on Friday night, yet were not detected until Saturday morning. This strongly implies that their
means of logging on was through legitimate means, since no alarm was initially raised from breach
detection mechanisms such as firewalls as well as intrusion detection systems. This is because
users with legitimate credentials are generally considered safe. Lack of patched vulnerabilities is
another possible entry point. Again, not as probable in the data given. Exploiting known
vulnerabilities usually displays unusual system activity, which tends to generate alarms. The lack
of this kind of initial detection hints at a quieter entry, such as a credential-based attack.
b) Lateral movement
Initial access techniques, in themselves, were not adequate to create the disruptions experienced.
In order to disable MUSE systems in different airports, attackers had to access Domain Controllers,
which are responsible for providing access to the entire network. According to ENISA’s “Threat
Landscape for Ransomware Attacks”, ransomware attacks may proceed from initial access to
certain stages. Once access is gained, actors carry out internal reconnaissance, during which they
try to identify network information, followed by credential gathering from memory, configuration
files, or from poorly secured accounts. Through credentials, actors are able to attain administrative
privileges, as a result of which they are allowed to move laterally in the network. In cases where
the network is not segmented, actors are in a position to access Domain Controllers from the
compromised user systems. Once actors are in a position to access Domain Controllers, they are
in a position to control the entire network, which enables them to spread ransomware attacks. The
missing defense mechanisms, which should have been implemented, include implementing multi-
, Accettola 2
factor authentication mechanisms for administrators, least privilege access, and segmenting
networks where user device accounts are kept separately from critical servers. The success of the
attack implies that the mechanisms were implemented inadequately or were missing.
c) Detection failure
The attack was undetected by the attackers for at least 8-10 hours after it began. This suggests a
failure in detection, not a lack of observable signs. According to the UK National Cyber Security
Centre (NCSC), a strong indication exists concerning the detectability of a ransomware attack,
including unusual login time and privilege escalation attempts. An attack on Domain Controllers
during the night is a significant warning among indicators, particularly when they come from user
accounts. If a reaction did not occur on time in this scenario, it could mean that the monitoring
process was either inadequate or intentionally disabled by the attackers. The most probable
explanation is that a reaction took place, but not immediately. In the process, as already described
by NCSC, the lack of effective security monitoring gives a false impression of safety. In other
words, the attackers were not invisible; they were simply not noticed.
Sources
2024 data breach investigations report. (n.d.-a).
https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-
report.pdf
European Union Agency for Cybersecurity September 2024 enisa threat. (n.d.-b).
https://www.cybersecitalia.it/wp-content/uploads/2024/09/ENISA-Threat-Landscape-
2024.pdf
QUESTION 2
a) Map the dependencies
A single vendor's software failure, as depicted in this diagram, spread to multiple airports, disrupting
operating systems, grounding airlines, and ultimately impacting thousands of passengers across Europe.