DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Ransomware cyberattack disrupts Berlin Brandenburg Airport

20–22 September 2025 · Berlin (Brandenburg Airport), Germany
Satellite Imagery © Esri

What happened

Late on Friday 19 September 2025, Collins Aerospace, an RTX subsidiary, was hit by a cyberattack on its MUSE/vMUSE common-use passenger processing software, which many airlines rely on for check-in, bag drop and boarding. The disruption spread through the weekend to several European hubs, with Berlin Brandenburg Airport (BER) among the most affected alongside Brussels and London Heathrow. With automated kiosks, bag-drop machines and boarding systems unavailable, airlines and ground staff at BER reverted to manual check-in and paper processes, producing long queues, baggage delays and numerous flight delays and cancellations.

The impact at BER persisted for several days. By Monday 22 September, German reporting indicated that roughly 70 percent of departures from Berlin were delayed, and automated kiosks remained partly down. Heavy passenger volumes linked to the Berlin Marathon compounded the congestion. Recovery was gradual, with procedural workarounds restored later in the week. On 22 September the EU cybersecurity agency ENISA confirmed the incident was a ransomware attack affecting a third-party provider. Several security researchers and the Everest ransomware group offered competing claims about the specific malware involved, which were not independently confirmed. On 23 September the UK's National Crime Agency arrested a man in his forties in West Sussex under the Computer Misuse Act; he was later released on conditional bail, and the investigation remained ongoing.

Assessment

This was a supply-chain disruption: a single compromised aviation IT vendor cascaded into operational chaos across multiple national airports, illustrating systemic dependence on shared common-use software. ENISA confirmed ransomware, and a UK arrest followed, pointing toward financially motivated cybercrime rather than a verified state operation. No credible evidence has linked the attack to any government, and attribution to a specific ransomware family remains contested. The episode underlines aviation's concentration risk and the value of robust manual fallback procedures, but it should not be characterised as state-directed hybrid activity on the available evidence.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.