DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Ransomware cyberattack disrupts London Heathrow Airport

20–22 September 2025 · London (Heathrow), United Kingdom
Satellite Imagery © Esri

What happened

Late on Friday 19 September 2025, a cyberattack hit Collins Aerospace (an RTX subsidiary) and its MUSE/vMUSE passenger-processing software, a shared platform that many airlines and airports use for electronic check-in, bag drop and boarding. By the morning of Saturday 20 September, London Heathrow, Europe's busiest hub, was affected, with electronic check-in and baggage systems down and staff reverting to manual check-in and ticketing. Passengers faced long queues, flight delays and some cancellations over the weekend of 20 to 22 September. The same attack on Collins Aerospace simultaneously disrupted Brussels Airport and Berlin Brandenburg (BER).

On Monday 22 September, the EU cybersecurity agency ENISA said the disruption was caused by a third-party ransomware incident, without naming the strain at that stage. RTX, the parent company of Collins Aerospace, subsequently confirmed that ransomware was involved in the compromise of its passenger-processing software. Independent security researchers linked the activity to a variant of the HardBit ransomware, though this attribution was not officially confirmed. On 23 September, the UK National Crime Agency (NCA) announced it had arrested a man in his forties in West Sussex on suspicion of Computer Misuse Act offences as part of its investigation; he was later released on conditional bail, and the NCA stressed the inquiry remained at an early stage.

Assessment

This was a criminal ransomware attack on a shared aviation IT supplier rather than a confirmed state-directed operation, and ENISA characterised it as a third-party ransomware incident. Its wide impact across Heathrow, Brussels and Berlin illustrates the systemic risk of concentrated dependence on a single vendor (Collins Aerospace MUSE/vMUSE) for core passenger-processing functions. While researchers have suggested a HardBit link, no formal attribution or motive has been established, and the NCA arrest does not yet confirm responsibility. The incident underscores supply-chain fragility in critical transport infrastructure and the value of manual fallback procedures.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.