Several major airports across Europe experienced significant disruptions following a ransomware attack targeting Collins Aerospace, one of the world’s largest aerospace and defense technology providers.

What Happened

According to the European Union Agency for Cybersecurity (ENISA), the attack that impacted Collins Aerospace services was confirmed as a ransomware incident. While the specific ransomware strain has been identified, details remain confidential as law enforcement agencies continue their investigation.

Collins Aerospace, a subsidiary of RTX (formerly Raytheon), provides essential technology for airport operations, including check-in systems, boarding pass and baggage tag printing, and baggage dispatching. The cyberattack disrupted these systems, forcing airports to rely on manual processes—causing delays and even flight cancellations.

Airports Impacted

The incident affected airports across the UK, Germany, Belgium, and Ireland, with disruptions reported at London Heathrow, Brussels Airport, and Berlin Brandenburg.

• Heathrow stated that most flights were able to operate with only minor delays.
• Brussels Airport, however, faced major interruptions, with airlines reportedly asked to cancel nearly 140 flights.

An internal memo from Heathrow, obtained by the BBC, revealed that over 1,000 computers were corrupted, and remote restoration was impossible. The memo also noted that attackers were still present inside Collins Aerospace’s network even after systems had been rebuilt and relaunched.

Expert Analysis

Cybersecurity expert Kevin Beaumont has been tracking the attack, suggesting that the ransomware likely targeted ARINC communications and information systems, particularly the SelfServ vMUSE platform. Beaumont highlighted that several ARINC-related systems remain exposed online without sufficient security safeguards.

As a result, many users of the ARINC platform were unable to log in, further worsening the operational chaos at airports.

Possible Threat Actors

While attribution remains unclear, some cybersecurity sources point to potential links with the ShinyHunters cybercrime group and their partners, Scattered Spider, both of which have previously targeted the aviation sector.

Although these groups recently claimed to have “retired,” industry experts remain skeptical. Evidence continues to suggest that they are still actively carrying out attacks under the radar.

Why It Matters

This incident highlights the fragility of critical infrastructure when dependent on interconnected digital systems. The attack on Collins Aerospace demonstrates how a compromise in a single technology provider can ripple across multiple countries, creating widespread disruption.

For organizations in aviation and beyond, it’s a stark reminder of the importance of:

• Proactive threat monitoring
• Regular system hardening
• Incident response preparedness
• Securing third-party vendor ecosystems

Source: https://www.securityweek.com/european-airport-disruptions-caused-by-ransomware-attack