A cybersecurity incident reported Friday, Sept. 19 involving Collins Aerospace’s automatic check-in and boarding software was confirmed Sept. 22 as the result of a ransomware attack, according to the European Union Agency for Cybersecurity (ENISA).ENISA reportedly told the BBC Monday that the ransomware was used to scramble the automatic check-in systems.As of Monday afternoon Eastern, the threat actor behind the attack was still not known.Several of Europe's busiest airports spent several days juggling hundreds of delays and cancellations while trying to restore operations to normal, including at Brussels Airport, Dublin Airport, and Berlin’s Brandenburg and London’s Heathrow airports.The BBC reported that it has seen internal crisis communications from staff inside Heathrow Airport that urged airlines to continue using manual workarounds to board and check-in passengers as its team works to restore operations.According to the New York Times, Collins Aerospace parent company RTX said in a statement Saturday that the problem affected its MUSE software, a passenger-processing system used by about 300 airlines at 100 airports worldwide. RTX said the impact is limited to electronic customer check-in and baggage drop."The confirmation that ransomware was behind the disruption of airport check-in systems reinforces how devastating these attacks can be to critical infrastructure,” said Darren Guccione, co-founder and CEO at Keeper Security. “What began as a single compromise cascaded into delayed flights, cancelled schedules and disruptions to travel plans across Europe. This is the modern face of ransomware — no longer confined to IT systems, but extending into the physical world, disrupting operations, economies and lives.”Ira Winkler, Field CISO at CYE, pointed out that the supply chain attack demonstrated how these cybercriminals operate professionally, investing significant effort to identify which software supports critical infrastructure and then researching vulnerabilities in those tools.“Their approach indicates careful planning designed to inflict enough disruption to force a ransom payment thwarting attempts to bypass the malware,” said Winkler. “Rather than dramatically changing their tactics, they are applying mature, methodical techniques to select targets and execute attacks.”Gary Orenstein, CCO at Bitwarden, added that the ransomware attack on Collins Aerospace highlighted two persistent vulnerabilities in critical infrastructure.First, threat actors are increasingly going after shared service providers in the software supply chain. By compromising a single vendor, they can disrupt multiple organizations (airports and airlines in this case) across various locations at once. This approach magnifies impact far beyond a single victim.Second, Orenstein said ransomware campaigns succeed when intrusions go undetected long enough for attackers to move laterally and expand account access quickly. Stealth gives them the time to disable recovery paths before encryption begins, while speed ensures that once systems are locked, outages spread widely and rapidly, as observed in this incident.For aviation and other sectors built on a system of interconnected platforms, Oresntein said resilience requires:
- Continuous monitoring of critical accounts and third-party access.
- Strong credential management practices, including strong and unique passwords for business accounts, phishing-resistant authentication such as passkeys, and regular access audits.
- Well-tested backup and recovery procedures to maintain essential services during outages.
