On 2025-10-26, ransomware operator “Everest Group” announced on their TOR-hosted web page that they had allegedly accessed the data of Dublin Airport regarding a large number of travellers to the airport. Early estimates for the potential number of affected victims range from 1-200K up to 1.5 Million, however no details have been positively confirmed.

Although unconfirmed it is likely that this data breach is related to the Collins Aerospace ransomware attack which occurred earlier in Sept 2025. A likely strategy for the Everest Group is to threaten individual airports and airlines, increasing the chance of successful payment. Everest Group has also threatened to release the data of Air Arabia on 2025-10-25, signaling that further aerospace organisations may face threats in the coming days.

Examination of the group’s TTPs suggests a heavy focus on social engineering and access broker techniques to gain initial access to victim’s environments. Research performed by the NCC group showed that Everest use legitimate, compromised accounts, removing the need for exploitation and privilege escalation which often raises suspicion among network defenders. The group has been operational since at least 2021, is linked to the “Blackbyte” and “Conti” ransomware groups and is a double extortion ransomware operator.

A notable communication by the group in 2023 showed the intention to recruit parties with access to systems which would be exchanged for monetary reward on completion of a successful attack. It is unclear whether this was intended for corporate employees, access brokers, or both.

Social engineering attacks abusing legitimate credentials appear to be common among modern high profile ransomware operators in that they can be used to bypass an organization's defenses if deployed correctly.

The Integrity360 Incident Response team recommends some practical steps to mitigate the risk of attacks which begin with social engineering:

• Regularly rotate all administrative credentials and enforce MFA
• Pay close attention to supplier/customer accounts and restrict permissions and access as much as possible while allowing 3rd parties to complete their role.
• Maintain modern visibility and detection employing EDR and UBA monitoring techniques coupled with traditional SIEM-based logging for posterity.
• Take steps to regularly verify personnel where e-mail, phone and telepresence communication is used.
• Use digital risk monitoring to keep ahead of potential supplier cyber security incidents which may affect your business.

If you have reason to believe that a threat actor is attempting to gain access to your network, contact the Integrity360 Incident Response team for assistance.