Executive Summary
Between August–September 2025, multiple European airports experienced disruptions tied to a third‑party passenger‑processing outage later confirmed as a ransomware event at a vendor. The campaign—frequently linked in reporting to RTX—combined data theft with selective encryption against airport‑adjacent IT (airlines, handlers, shared services), causing check‑in and bag‑drop failures, queues, and delays. Core ATC/airport OT was not confirmed as encrypted; however, IT dependencies (DCS, middleware, tenant systems) created cascading operational impact across hubs including Heathrow (LHR), Brussels (BRU), and Berlin (BER).
Why this matters for Europe: The incidents illustrate how European hub ecosystems—with many tenants and shared platforms—can be disrupted via a single supplier under NIS2/UK NIS obligations, raising stakes for supply‑chain security, data breach obligations, and airport continuity plans.
Scope & Sources
- Timeframe: Late August to September 2025.
- Geography: Europe (EU member states, EEA and UK).
- Scope: Only airport‑related impact in Europe (airports, airlines, handlers, airport IT providers). Non‑aviation incidents are out of scope.
- Sources: Protos AI internal monitoring; uploaded “Deep_Dive_Report_RTX_Ransomware_Attacks_on_European_Airports_September_2025.pdf”; European press and sector advisories (ENISA, national CERTs, UK NCA announcements).
Use this canvas to track facts vs. analysis. Mark unconfirmed items clearly.
Key Judgments (Analyst Assessment)
- Primary objective: Financial extortion leveraging data exfiltration and targeted encryption in airport‑adjacent IT domains (not ATC/airport OT).
- Access vectors: Likely mix of credential compromise (phish/infostealers), public‑facing service exploitation, and supplier footholds; lateral movement through RMM/PSExec families.
- Blast radius control: Evidence suggests targeted policies to maximize passenger‑visible disruption while avoiding safety‑critical OT.
- Leak discipline: Rapid leak‑site postings and staged proof‑of‑exfil increased coercive pressure on European airport authorities and vendors.
- European context: Incidents implicate common‑use platforms (e.g., DCS/MUSE‑like services) and NIS2‑relevant supplier risk; reinforces need for contractual security baselines and joint drills.
(Confidence: moderate.)
Incident Overview (Timeline)
- 19–20 Sep 2025 (Fri–Sat): A third‑party outage on the Collins Aerospace MUSE passenger‑processing platform triggers disruptions across multiple European hubs, including Heathrow (LHR), Brussels (BRU), and Berlin (BER). Airports fall back to manual check‑in and bag‑drop; delays and a limited number of cancellations occur.
- 21–22 Sep 2025 (Sun–Mon): Progressive restoration continues. Queues and knock‑on delays persist at affected hubs, including Heathrow.
- 22 Sep 2025 (Mon): Sector authorities confirm the incident involves ransomware at a third‑party provider supporting airport operations. Recovery efforts continue.
- 24 Sep 2025 (Wed): UK law enforcement announces an arrest related to the wider investigation into the European airport disruptions.
- 25 Sep 2025 (Thu): Industry wrap‑ups emphasize supply‑chain risk around MUSE/common‑use systems. Notifications and clean‑up continue across airports and vendors.
Threat Actor Snapshot — RTX
- Motivation: Financial extortion (RaaS‑style economics with flexible affiliates).
- Playbook: Data exfiltration → selective encryption → leak pressure.
- Negotiation posture: Short timelines; escalation via public shaming and outreach to third parties.
- Overlap: Common access chains using Cobalt/Sliver/NetSupport, AnyDesk/RustDesk/ScreenConnect footholds, and commodity infostealers.
Attribution to a single parent crew remains tentative. Keep language conservative in public-facing materials.
Case Note: Heathrow (LHR)
- Disruption window: 20–22 Sep 2025.
- Impact: Long queues at departures; manual check‑in and baggage processing; flight delays and isolated cancellations.
- Root cause: Third‑party MUSE passenger‑processing outage associated with a ransomware event at the vendor. No evidence of effects on ATC or core airport OT.
- Current status (26 Sep 2025): Services restored; post‑incident review and vendor hardening under way.
Technical TTPs (ATT&CK‑Mapped)
Curated to include only techniques evidenced or strongly consistent with the European airport incidents (Aug–Sep 2025).
| ATT&CK Tactic |
Technique |
ID |
Airport-Specific Example |
Practical Detection Ideas |
| Initial Access |
Spearphishing Attachment / Link |
T1566.001 /
T1566.002
|
Vendor/tenant phishing for SSO credentials; MFA-bypass lures |
SEG + sandbox; high-risk sender heuristics; OAuth consent monitoring |
| Initial Access |
Exploit Public-Facing Application |
T1190 |
VPN/Citrix/helpdesk flaws on airport IT/supplier edge |
WAF & virtual patching; attack-surface mgmt; auth endpoint anomaly alerts |
| Initial Access |
Valid Accounts |
T1078 |
Infostealer logs reused on airport/vendor IdP |
Risky sign-in (impossible travel, new ASN/hosting); step-up MFA |
| Execution |
PowerShell / Command-Line Interface |
T1059.001 /
T1059.003
|
Scripts to dump creds, stage payloads on airport AD |
Constrained language mode; PowerShell transcript logging; parent-child process correlation |
| Execution |
User Execution (Malicious File) |
T1204.002 |
Staff tricked into opening macro-enabled vendor invoice |
AMSI scanning; block macros from internet; user warning telemetry |
| Persistence |
Scheduled Task / Registry Run Keys |
T1053.005 /
T1547.001
|
Maintaining foothold in airport IT laptops |
Sysmon Event ID 1, 13; registry autorun monitoring; AMSI for wscript/cscript |
| Privilege Escalation |
Exploitation for Privilege Escalation |
T1068 |
Exploiting unpatched Windows drivers on ops workstations |
Kernel exploit alerting; EDR heuristic on token manipulation |
| Credential Access |
OS Credential Dumping |
T1003 |
Dumping LSASS from airport AD server |
EDR detect Mimikatz patterns; LSASS access prevention; Credential Guard |
| Discovery |
Network Service Scanning / Remote System Discovery |
T1046 /
T1018
|
Scanning airport ops VLAN for accessible control servers |
IDS detect scanning; network segmentation; EDR unusual process spawning nmap |
| Lateral Movement |
Remote Services (SMB/WinRM/RDP) |
T1021.002 /
T1021.006
|
Moving from IT to ops enclaves via misconfigured RDP |
Limit lateral RDP; monitor for abnormal parent-child process with mstsc/winrs |
| Command & Control |
Web Service / Encrypted Channels |
T1102 /
T1573
|
HTTPS C2 over airport proxy to Slack/Telegram API |
SSL inspection + anomaly detection; block unsanctioned cloud apps |
| Exfiltration |
Exfiltration Over Web Services |
T1567.002 |
Leaking passenger PII via Dropbox/Drive |
DLP; CASB monitoring; block unauthorized sync tools |
| Impact |
Data Encrypted for Impact (Ransomware) |
T1486 |
Encrypting airport flight ops IT systems |
Immutable backups; anomaly-based detection; SOC playbooks |
Detection & Response Playbook (Airport/Vendor)
Host & Identity
- Alert on mass token refresh/MFA prompts; unusual SSO from hosting ASNs.
- Detect shadow copy deletion, EDR disablement, and backup tampering.
- Watch for RMM installs (AnyDesk/ScreenConnect/RustDesk) outside change windows.
Network & Exfiltration
- Model low‑and‑slow exfil to object stores (S3‑compatible endpoints, Mega, VPS).
- Hunt C2 pivots (Cobalt/Sliver/NetSupport): TLS JA3/JA4 clusters, DoH outliers.
- Alert on SMB write bursts to admin shares (encryption prep) and cross‑host service starts.
Continuity & Communications
- Pre‑stage manual check‑in/baggage runbooks; test tenant/vendor call trees.
- Coordinate rapid data‑breach assessment for GDPR/NIS2 exposure while restoring services.
Hardening Priorities (30‑Day Checklist)
- Third‑Party Controls: Vendor tiering; baseline security controls; session‑recorded RMM; least privilege; break‑glass accounts with phishing‑resistant MFA.
- Identity Resilience: Conditional access (geo/ASN/device posture); fast token invalidation; admin paths with WebAuthn/Passkeys.
- Backup Strategy: 3‑2‑1 with immutable copies; restore drills for DCS/AODB/handlers.
- Network Segmentation: Tenant/vendor zones; restrict East‑West; proxy egress allow‑lists; dedicated exfil detection.
- Endpoint & Email: Block .lnk and Internet‑sourced macros; strip archives; EDR with canary files.
Sources & Further Reading (Europe‑Only)
- Reuters — European airports work to bring check-in back to normal after cyberattack (Sep 22, 2025): https://www.reuters.com/business/aerospace-defense/eu-agency-says-third-party-ransomware-behind-airport-disruptions-2025-09-22/
- The Guardian — Disruption continues at Heathrow, Brussels and Berlin airports after cyber-attack (Sep 21, 2025): https://www.theguardian.com/business/2025/sep/21/delays-continue-at-heathrow-brussels-and-berlin-airports-after-alleged-cyber-attack
- Reuters — UK police arrest man over hack that affected European airports (Sep 24, 2025): https://www.reuters.com/business/aerospace-defense/uk-police-arrest-man-over-cyber-attack-that-affected-european-airports-2025-09-24/
- AP News — Man arrested in UK over alleged cyberattack that affected European airports (Sep 25, 2025): https://apnews.com/article/941e5bfe2bc2a327aeabd9a3095f1426
- TechCrunch — EU cyber agency confirms ransomware attack causing airport disruptions (Sep 22, 2025): https://techcrunch.com/2025/09/22/eu-cyber-agency-confirms-ransomware-attack-causing-airport-disruptions/
- TechCrunch — European airports still dealing with disruptions days after ransomware attack (Sep 23, 2025): https://techcrunch.com/2025/09/23/european-airports-still-dealing-with-disruptions-days-after-ransomware-attack/
- Reuters — Collins Aerospace working on restoring software for airlines hit by cyberattack (Sep 24, 2025): https://www.reuters.com/business/aerospace-defense/collins-aerospace-working-restoring-software-airlines-hit-by-cyber-attack-2025-09-24/
- Cybernews — ENISA confirms ransomware behind chaos at airports (Sep 23, 2025): https://cybernews.com/news/enisa-confirms-ransomware-behind-chaos-at-airports/
- Industrial Cyber — ENISA confirms ransomware behind airport disruptions (Sep 22, 2025): https://industrialcyber.co/threats-attacks/enisa-confirms-ransomware-behind-airport-disruptions-delays-at-heathrow-brussels-berlin-continue/
- Acronis TRU — ARINC’s MUSE Disruption Impacts Flights Across Europe (Sep 25, 2025): https://www.acronis.com/en/tru/posts/arincs-common-use-passenger-processing-system-muse-disruption-impacts-flights-across-europe/
- CYFIRMA — From MUSE to Manual: Cyberattack Analysis on European Airport Operations (Sep 23, 2025): https://www.cyfirma.com/research/from-muse-to-manual-cyberattack-analysis-on-european-airport-operations/
- World Economic Forum — European airports and cyber resilience: Latest wake-up call (Sep 2025): https://www.weforum.org/stories/2025/09/european-airports-cyber-incident-critical-infrastructure/
.png)
