Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Case

Ransomware Attack on Collins Aerospace: Cybersecurity Failures and Systemic Risks in Airport Infrastructure

Rating
-
Sold
-
Pages
7
Grade
A
Uploaded on
23-03-2026
Written in
2025/2026

This document analyzes the September 2025 ransomware attack on Collins Aerospace’s MUSE system, which disrupted airport operations across Europe. It examines how the attackers gained access, moved through the network, and avoided detection, highlighting key cybersecurity failures in prevention, monitoring, and response. The paper also explores the risks of centralized digital infrastructure, including systemic and concentration risks, and evaluates the effectiveness of backup systems. Additionally, it discusses the broader motivations behind ransomware attacks—such as financial gain and reputation—and emphasizes the need for stronger cybersecurity strategies, including defense-in-depth, zero trust architecture, and improved regulatory standards for critical infrastructure.

Show more Read less

Content preview

Accettola 1


Rebecca Accettola

Stefano Gazziano

CS/MGT 337-1

9th February 2026

Collins Aerospace Ransomware Attack on September 2025

QUESTION 1

a) Entry point analysis

The most probable method for the attackers to gain access to the systems of Collins Aerospace
would be the exploitation of the legitimate user credentials, most probably via phishing attacks.
This is entirely consistent with widely known ransomware attack patterns carried out against big
companies, especially with infrastructure providers. As indicated in the Verizon Data Breach
Investigations Report 2024, mentioned in my sources, most ransomware attacks utilizing stolen
legitimate user credentials begin with phishing attacks. Phishing emails are particularly successful
since they take advantage of human trust as opposed to exploiting technical flaws. In a complex
organization such as Collins Aerospace, it is entirely feasible that at least one legitimate user
credential was compromised without anyone realizing it. This hypothesis is further reinforced by
statements regarding the timing of the incident. This particular group of attackers accessed the site
on Friday night, yet were not detected until Saturday morning. This strongly implies that their
means of logging on was through legitimate means, since no alarm was initially raised from breach
detection mechanisms such as firewalls as well as intrusion detection systems. This is because
users with legitimate credentials are generally considered safe. Lack of patched vulnerabilities is
another possible entry point. Again, not as probable in the data given. Exploiting known
vulnerabilities usually displays unusual system activity, which tends to generate alarms. The lack
of this kind of initial detection hints at a quieter entry, such as a credential-based attack.

b) Lateral movement

Initial access techniques, in themselves, were not adequate to create the disruptions experienced.
In order to disable MUSE systems in different airports, attackers had to access Domain Controllers,
which are responsible for providing access to the entire network. According to ENISA’s “Threat
Landscape for Ransomware Attacks”, ransomware attacks may proceed from initial access to
certain stages. Once access is gained, actors carry out internal reconnaissance, during which they
try to identify network information, followed by credential gathering from memory, configuration
files, or from poorly secured accounts. Through credentials, actors are able to attain administrative
privileges, as a result of which they are allowed to move laterally in the network. In cases where
the network is not segmented, actors are in a position to access Domain Controllers from the
compromised user systems. Once actors are in a position to access Domain Controllers, they are
in a position to control the entire network, which enables them to spread ransomware attacks. The
missing defense mechanisms, which should have been implemented, include implementing multi-

, Accettola 2

factor authentication mechanisms for administrators, least privilege access, and segmenting
networks where user device accounts are kept separately from critical servers. The success of the
attack implies that the mechanisms were implemented inadequately or were missing.

c) Detection failure

The attack was undetected by the attackers for at least 8-10 hours after it began. This suggests a
failure in detection, not a lack of observable signs. According to the UK National Cyber Security
Centre (NCSC), a strong indication exists concerning the detectability of a ransomware attack,
including unusual login time and privilege escalation attempts. An attack on Domain Controllers
during the night is a significant warning among indicators, particularly when they come from user
accounts. If a reaction did not occur on time in this scenario, it could mean that the monitoring
process was either inadequate or intentionally disabled by the attackers. The most probable
explanation is that a reaction took place, but not immediately. In the process, as already described
by NCSC, the lack of effective security monitoring gives a false impression of safety. In other
words, the attackers were not invisible; they were simply not noticed.

Sources
2024 data breach investigations report. (n.d.-a).
https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-
report.pdf

European Union Agency for Cybersecurity September 2024 enisa threat. (n.d.-b).
https://www.cybersecitalia.it/wp-content/uploads/2024/09/ENISA-Threat-Landscape-
2024.pdf

QUESTION 2

a) Map the dependencies

A single vendor's software failure, as depicted in this diagram, spread to multiple airports, disrupting
operating systems, grounding airlines, and ultimately impacting thousands of passengers across Europe.

Document information

Uploaded on
March 23, 2026
Number of pages
7
Written in
2025/2026
Type
CASE
Professor(s)
Gazziano
Grade
A
£6.92
Get access to the full document:

Wrong document? Swap it for free Within 14 days of purchase and before downloading, you can choose a different document. You can simply spend the amount again.
Written by students who passed
Immediately available after payment
Read online or as PDF

Get to know the seller
Seller avatar
rebeccaaccettola

Get to know the seller

Seller avatar
rebeccaaccettola
View profile
Follow You need to be logged in order to follow users or courses
Sold
-
Member since
3 months
Number of followers
0
Documents
1
Last sold
-

0.0

0 reviews

5
0
4
0
3
0
2
0
1
0

Recently viewed by you

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their exams and reviewed by others who've used these revision notes.

Didn't get what you expected? Choose another document

No problem! You can straightaway pick a different document that better suits what you're after.

Pay as you like, start learning straight away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and smashed it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions