On 19–20 September 2025, multiple major European airports (Heathrow, Brussels, Berlin) experienced severe disruptions to check-in, boarding, and baggage systems after an attack on Collins Aerospace’s MUSE platform, forcing manual operations, delays, and cancellations. CYFIRMA assesses Alixsec, Scattered Spider, and Rhysida as plausible actors based on prior targeting and operational history. #CollinsAerospace #MUSE #Alixsec #Rhysida
Keypoints
- The incident occurred 19–20 September 2025, peaking the morning of 20 September, and impacted automated check-in, boarding pass issuance, and baggage drop services.
- Collins Aerospace’s MUSE check-in/boarding platform is identified as the affected third-party vendor, suggesting a supply-chain-style exploitation.
- Heathrow, Brussels, and Berlin airports reverted to manual fallback procedures, causing cancellations, diversions, and extensive passenger delays.
- No confirmed ransomware encryption or public data exfiltration has been reported, though the disruption mirrors previous ransomware and state-sponsored aviation attacks.
- CYFIRMA assesses Alixsec, Scattered Spider, and Rhysida as plausible threat actors; state-backed groups (APT28, APT33, Lazarus) are also considered possible due to capability and intent.
- Dark-web postings and historical incidents (e.g., Rhysida’s August 2024 attack on Seattle-Tacoma International Airport) provide contextual precedence and motive.
- Immediate mitigations recommended include vendor access hardening, network segmentation, immutable backups, proactive threat hunting, and third-party oversight.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Exploitation of Collins Aerospace’s MUSE platform to disrupt multiple airports: “a supply-chain-style intrusion.”
- [T1566 ] Phishing – Identified as an initial access vector used by APT33: “Phishing (APT33).”
- [T1204 ] User Execution – User execution noted as an initial access method for APT33: “User Execution (APT33).”
- [T1486 ] Data Encrypted for Impact – Ransomware encryption cited as a capability of Rhysida and Lazarus Group and a mirrored impact scenario: “Data Encrypted for Impact (Rhysida, Lazarus Group).”
- [T1499 ] Endpoint Denial of Service – Denial-of-service identified as an execution tactic used by Alixsec: “Endpoint Denial of Service (Alixsec).”
- [T1491 ] Defacement / Wiper – Defacement/wiper activity attributed to Alixsec and Lazarus as possible destructive impacts: “Defacement / Wiper (Alixsec, Lazarus Group).”
- [T1078 ] Valid Accounts – Use of valid accounts for persistence and privilege escalation by APT28 and APT33: “Valid Accounts (APT28, APT33).”
- [T1021 ] Remote Services – Remote services leveraged for persistence by APT28 and APT33: “Remote Services (APT28, APT33).”
- [T1070 ] Indicator Removal – Indicator removal used by Rhysida to evade detection: “Indicator Removal (Rhysida).”
- [T1027 ] Obfuscated Files or Information – Obfuscation techniques attributed to Lazarus Group for defense evasion: “Obfuscated Files or Information (Lazarus Group).”
- [T1489 ] Service Stop – Service stoppage as an impact technique associated with Rhysida: “Service Stop (Rhysida).”
- [T1041 ] Exfiltration Over C2 Channel – Data exfiltration via C2 channels attributed to APT28 and APT33: “Exfiltration Over C2 Channel (APT28, APT33).”
- [T1530 ] Data from Cloud Storage – Exfiltration from cloud storage referenced for Alixsec and Rhysida: “Data from Cloud Storage (Alixsec, Rhysida).”
Indicators of Compromise
- [File names / Posts ] Dark-web postings and leaked dataset references – Excel file with Heathrow infrastructure details leaked to Telegram and RaidForums, and dataset listings on leak sites (example: “Heathrow infrastructure Excel”), and similar leak postings for Port of Seattle.
- [Groups / Threat Actors ] Observed threat actors and forum handles – Telegram group “alixsecenglish” and Hydra Market 2 threads discussing infrastructure data.
- [Incident References ] Historic victim listings – Rhysida leak site listing for Port of Seattle / Seattle-Tacoma International Airport (example listing noted from 17 Sep 2024).
- [Other ] No confirmed technical IOCs published – report states “there are no known Indicators of Compromise (IOCs) associated with this incident” as of publication; monitoring ongoing.