From MUSE to Manual: Cyberattack Analysis on European Airport Operations

Published On : 2025-09-23

Executive Summary

On 19 September 2025, multiple major European airports, including London Heathrow (LHR), Brussels (BRU), and Berlin Brandenburg (BER), experienced severe operational disruptions following a cyberattack that impacted check-in and boarding systems, resulting in widespread flight delays and cancellations. The incident has been attributed to an attack on Collins Aerospace’s MUSE check-in/boarding platform, highlighting how adversaries often exploit vulnerabilities in third-party suppliers rather than directly targeting the primary organization. While no threat actor has formally claimed responsibility, CYFIRMA Research assesses that Alixsec, Scattered Spider, and the Rhysida ransomware group are plausible actors, given their prior targeting patterns, history of high-profile disruptions, and demonstrated operational capabilities.

Incident Overview

Incident Window: 19–20 September 2025, with peak impact observed on the morning of 20 September 2025.
Affected Function: Electronic self-service check-in, boarding pass issuance, and baggage drop services on the vendor’s MUSE platform. Impacted airports activated manual fallback procedures to sustain operations.
Confirmed Impacts: Brussels Airport reported nine cancellations, four diversions, and at least fifteen delays. Heathrow and Berlin airports experienced extended processing times and delays while operating under manual procedures.

Assessment

On 19–20 September 2025, a cyberattack targeting Collins Aerospace’s MUSE check-in and boarding platform resulted in widespread disruptions across London Heathrow (LHR), Brussels (BRU), and Berlin Brandenburg (BER) airports. Automated check-in, boarding, and baggage systems were rendered unavailable, forcing airports to revert to manual processes. The outage caused significant passenger delays, flight cancellations, and broader operational strain.

While early reporting attributed the incident to a “technical issue,” preliminary analysis suggests that Collins’ software platform was exploited, raising concerns of a supply-chain-style intrusion. No public indicators of ransomware encryption or data exfiltration have yet been confirmed, but the scale of disruption mirrors previous ransomware and state-sponsored campaigns against aviation.

This incident highlights the aviation sector’s vulnerability to cyber operations, particularly through supply-chain dependencies such as Collins Aerospace’s MUSE platform. Exploiting a shared platform offers adversaries a single point of failure to simultaneously disrupt multiple international airports — a strategy attractive to both ransomware operators seeking leverage and state actors pursuing geopolitical signaling.

Dark Web Observations

Based on contextual, open-source, and dark web intelligence:
On December 5, 2024, the threat group Alixsec reportedly announced intentions to target multiple UK critical infrastructure sites, including transportation, media, banking, defense, and government organizations, with London Heathrow Airport mentioned. Their statements indicate a focus on high-value operational nodes, highlighting potential risks to airport operations, public services, and national infrastructure, underscoring the need for increased monitoring and defensive preparedness.

Screenshot: Telegram Post

On December 22, 2024, an Excel file containing detailed information on Heathrow Airport infrastructure, including hostnames, IP addresses, technologies, and services, was reportedly posted on a Telegram group named Hydra Market 2 and later discussed on RaidForums in a thread forwarded from a Ransomware-as-a-Service (RaaS) group identified as Babuk Medieval. The dataset included internal and public-facing systems, such as email gateways, application servers, and network devices, highlighting the potential exposure of sensitive operational information.

Screenshot: Telegram Post

Screenshot: Excel file containing detailed information on Heathrow Airport infrastructure

On 17 September 2024, the ransomware group Rhysida listed Port of Seattle / Seattle-Tacoma International Airport (SEA) on its leak site. The post claims the release of unclaimed customer SQL databases totalling 1.4 TB across 79,432 files, with a partial dataset (≈20%) already uploaded. The actor stated that additional data will follow. The Port of Seattle, a government agency formed in 1911, manages both Seattle’s seaport and airport and serves as a critical U.S. trade and transportation hub.

Screenshot: Listing of Port of Seattle / Seattle-Tacoma International Airport (SEA) on its leak site

Historic Attribution

Scenario 1: Hacktivist / Ransomware Attribution

Alixsec – Pro-Palestinian hacktivist group, active on Telegram (alixsecenglish). History of DDoS, defacements, and data leaks. On December 5, 2024, the group publicly threatened to attack aviation but has no record of successfully targeting airports. Their intent is clear, but their capability remains limited.
Rhysida – Ransomware group with a proven record of targeting aviation and port sectors. In August 2024, Rhysida launched a high-impact attack on Seattle-Tacoma International Airport (Port of Seattle), encrypting baggage, ticketing, Wi-Fi, and passenger systems. Staff were forced into manual operations for weeks. This attack provides a direct operational precedent for the current disruption.

Scenario 2: State-Sponsored Attribution

APT28 (Fancy Bear) – Linked to Russia’s GRU, with long-standing interest in transportation and critical infrastructure. Known for advanced supply-chain exploitation and destructive malware.
APT33 (Iran) – Aviation and energy sector specialist, responsible for disruptive operations against aerospace targets.
Lazarus Group (North Korea) – Demonstrated capability in both espionage and financially motivated operations, with a history of targeting transportation and infrastructure.

Attribution Matrix (Intent vs Capability)

Threat Actor	Type	Motivation	Aviation History	Assessment
Alixsec	Hacktivist	Ideological (anti-West/Pro-Palestine)	Threatened aviation (Dec 2024), no confirmed attacks	Intent only
Rhysida	Ransomware	Financial disruption, extortion	Seattle-Tacoma Airport attack (Aug 2024)	Proven capability
APT28	State-backed (Russia)	Strategic disruption, espionage	Past transport/aviation targeting	High capability
APT33	State-backed (Iran)	Regional influence, disruption	Known aviation sector intrusions	High capability
Lazarus	State-backed (North Korea)	Financial and geopolitical	Targeted transport/finance	High capability

HACKER GROUP

Alixsec: Alixsec is a pro-Palestinian hacktivist group active on Telegram (alixsecenglish), focused on politically motivated cyber disruptions targeting Western-aligned nations. While the group has threatened aviation attacks (Dec 2024), it has no proven capability in executing high-impact operations against critical infrastructure.

Rhysida Ransomware Group: Rhysida is a financially motivated ransomware group targeting critical infrastructure, particularly aviation and ports. The group is capable of encrypting operational systems and causing prolonged disruptions, as seen in the August 2024 Seattle-Tacoma International Airport attack.

APT28 (Fancy Bear): APT28 is a Russian state-sponsored group linked to the GRU, conducting advanced cyber operations against transport, government, and critical infrastructure. Their campaigns combine intelligence collection and disruption, leveraging sophisticated malware and persistent access techniques.

APT33 (Iran): APT33 is an Iranian state-backed actor targeting aviation and energy sectors for strategic disruption. The group employs malware campaigns, spear-phishing, and operational technology (OT) exploitation to achieve regional influence and compromise sensitive systems.

Lazarus Group (North Korea): Lazarus Group is a North Korean state-sponsored actor conducting financially and strategically motivated cyber operations. They target financial institutions, transport, and critical infrastructure globally, blending ransomware, wipers, and espionage campaigns.

Potential MITRE Framework

Tactic	Technique ID	Technique Name	Threat Actors
Initial Access	T1195	Supply Chain Compromise	Rhysida, APT28, APT33, Lazarus Group
Initial Access	T1566	Phishing	APT33
Initial Access	T1204	User Execution	APT33
Execution	T1486	Data Encrypted for Impact	Rhysida, Lazarus Group
Execution	T1499	Endpoint Denial of Service	Alixsec
Execution	T1491	Defacement / Wiper	Alixsec, Lazarus Group
Persistence	T1078	Valid Accounts	APT28, APT33
Persistence	T1021	Remote Services	APT28, APT33
Privilege Escalation	T1078	Valid Accounts	APT28, APT33
Defense Evasion	T1070	Indicator Removal	Rhysida
Defense Evasion	T1027	Obfuscated Files or Information	Lazarus Group
Impact	T1489	Service Stop	Rhysida
Impact	T1486	Data Encrypted for Impact	Rhysida, Lazarus Group
Impact	T1491	Defacement	Alixsec, Lazarus Group
Exfiltration	T1041	Exfiltration Over C2 Channel	APT28, APT33
Exfiltration	T1530	Data from Cloud Storage	Alixsec, Rhysida

IOCs

As of now, there are no known Indicators of Compromise (IOCs) associated with this incident, as no group or individual has claimed responsibility for the attack. Nevertheless, we continue to monitor the situation closely.

Conclusion

While the suspected attribution for the September 2025 airport disruptions remains pending, CYFIRMA Research assesses Alixsec, Scattered Spider, and the Rhysida ransomware group as plausible actors, based on their prior targeting statements, history of high-visibility attacks, and operational capabilities. The incident highlights systemic vulnerabilities in service providers supporting critical airport functions and underscores the need for proactive cyber defenses, continuous threat monitoring, and cross-border coordination to mitigate the risks posed by these threat actors.

Recommendations and Mitigations

Immediate Recommendations

1. Vendor Access Hardening

Re-verify all Collins Aerospace and third-party identities.
Reset credentials and enforce phishing-resistant multi-factor authentication (MFA).
Lock down support workflows, eliminating SMS-only resets.

2. Network Segmentation & Containment

Validate strict segmentation between airport operational networks and vendor-managed systems.
Ensure the capability to rapidly isolate vendor connections if needed.

3. Backups & Fallback Procedures

Test restoration of MUSE-equivalent services and manual workflows.
Maintain offline, immutable backups of critical configurations and operational data.

4. Threat Hunting & Monitoring

Conduct proactive searches for IOCs and behaviors linked to ransomware operators (e.g., unauthorized admin tools, new scheduled tasks, lateral movement via remote tools).
Monitor hacktivist channels, forums, and marketplaces (Telegram, underground, and dark web platforms) for leaked datasets, planned campaigns, or indicators related to Alixsec or other suspected groups.

5. Access & Account Security

Enforce immediate password resets for all employees with access to operational systems, particularly those managing check-in, boarding, and flight management platforms.
Implement mandatory MFA for all corporate and service provider accounts.

6. System & Email Security

Conduct comprehensive system scans using updated EDR/antivirus solutions to detect potential IoCs in service provider and airport networks.
Strengthen email filtering policies to block phishing attempts, a common initial access vector for politically motivated attackers.

7. Training & Awareness

Refresh employee and contractor cybersecurity training, emphasizing phishing awareness, operational security hygiene, and timely reporting of suspicious activity.

8. Third-Party Oversight

Regularly review and audit third-party service providers’ cybersecurity posture to ensure adherence to security standards and reduce supply chain risk.