AI Autopsy: How a Supply Chain Attack Hobbled Some of Europe’s Busiest Airports

Cyber attacks in the aviation sector have increased by 600% over the past year. The aviation supply chain is enormous, which is one of the reasons it’s so susceptible to attack. Phil Muncaster investigates

The aviation industry is no stranger to crippling IT incidents. In fact, they have become depressingly familiar over recent years. Last year’s CrowdStrike-related outage led to huge problems at airports, while an IT issue at London Stansted in May resulted in lengthy queues, delays and missed flights. But rarely has one of these events stemmed from a cybersecurity incident. That makes recent chaos at several European airports, including Heathrow, worthy of comment.

At the time of writing, some of the tactics, techniques and procedures (TTPs) used by the threat actors to compromise US aviation supplier Collins Aerospace are unclear. But some important lessons can still be learned about the nature of third-party risk.

The story so far

The problems began the evening of September 19 when critical check-in software used by airlines at several European airports began experiencing difficulties. The issue was traced back to Collins Aerospace’s ARINC vMUSE (Multi-User System Environment) software. It’s described as a “next-generation common-use passenger processing system (CUPPS) solution that allows multiple airlines to share check-in desks and boarding gate positions at an airport rather than having their own dedicated infrastructure.”

“This is not some cyber-mega attack by a ransomware group: it’s extremely poor security hygiene” Kevin Beaumont

With that out of action, airlines were forced to check in passengers using pen and paper, leading to delays and cancellations for hundreds of flights at Heathrow, Berlin Brandenburg, Brussels, Dublin and Cork airports. The software provider told the BBC that ground staff should plan for at least another week of delays as it tries to rebuild its systems.

Collins Aerospace released an SEC filing confirming ransomware on “systems that support” MUSE, but clarified that “the MUSE airport systems operate outside of the RTX enterprise network, residing on customer-specific networks.” RTX is the aerospace and defence giant that owns Collins Aerospace, Raytheon and Pratt & Whitney. It’s unclear whether data was also taken, although MUSE apparently processes and stores passenger biometrics.

In the absence of official details, noted security researcher Kevin Beaumont posted a revealing string of insights on his Mastadon account, claiming the ransomware was a variant of HardBit “which doesn’t have a portal and is incredibly basic”. He added that the payloads used by the threat actor were detectable even by a free version of Windows Defender “with decade-old static AV detections”. He claimed: “This is not some cyber-mega attack by a ransomware group: it’s extremely poor security hygiene.”

Incident response under fire

Just days after the incident, the UK’s National Crime Agency (NCA) arrested a 40-year-old man in West Sussex on suspicion of Computer Misuse Act offences. In the meantime, incident responders appear to be making some rookie errors. Eleven days after the incident struck, no airports appeared to have restored any of their Muse terminals.

“After [they] restored domain controllers from backup, the threat actor got back in and started trashing more stuff. The whole thing is a mess, they probably want to pause, take a breathe, and think about flushing out the attacker before rebuilding things,” said Beaumont. “I’ve never seen an incident like it. Somebody like the NCSC needs to go in and help them with IR.”

In fact, Brussels Airport is bringing forward its roll-out of a new check-in system, as it was reportedly unable to receive confirmation from Collins Aerospace about whether MUSE terminals could even be restored. As of 11 days after the incident, Heathrow was still running with 76% of departures delayed, with an average delay of 26 minutes. Some 3% of flights had been cancelled. According to Beaumont, Heathrow officials have been told to expect to continue using pen and paper until the week of October 6. Twenty Collins Aerospace IT experts are reportedly at Berlin Airport trying to restore systems there.

Knowing isn’t doing

As Assured Intelligence reported back in June, IT leaders in the aviation sector are well aware of their potential risk exposure. In a 2024 survey, more airline (36%) and airport (40%) respondents cited cyber as their top investment priority than any other answer. The rapidly evolving threat landscape was mentioned by 54% of airport IT leaders as their biggest challenge.

However, that doesn’t mean they’ve been able to address these concerns. The aviation supply chain is enormous. It encompasses entities as diverse as “airworthiness management providers”, “aircrew aero-medical centres” and “air-traffic controller training organisations”, alongside more traditional IT suppliers like Collins Aerospace. A SecurityScorecard study from last year reveals that 97% of the FTSE 100 had suffered a breach in their third-party ecosystem in the previous 12 months.

Building resilience

Experts Assured Intelligence spoke to agree that, despite the chaotic scenes during the first weekend of the ransomware attack, airlines coped reasonably well with the incident. Axians UK crisis management and businesses resilience specialist, Dennis Martin, was caught up in the disruption.

“Paper-based boarding kept flights moving – a simple but effective fallback that showed the value of having a plan, even if it shouldn’t have taken an hour to board a small plane,” he says. “Regular training is key.”

Among other lessons learned are:

Supply chain risk must be managed

Organisations must ensure their vendors and suppliers follow appropriate security standards; something required by NIS2, says University of Surrey Centre for Cyber Security lecturer, Daniel Gardham.

“On specifics, for a tool like MUSE, I’d be asking the vendor to demonstrate tenant isolation and break-glass procedures” Alistair Grange

“They should check for good practice by asking questions like ‘what access does the vendor require? How is data protected? And how quickly the vendors aim to patch vulnerabilities?’” he tells Assured Intelligence. “Similarly, once a breach does happen, what are the notification processes and resiliency measures? And what is their ability to recover from attacks? Organisations should also ask for evidence of ongoing and relevant security testing.”

Alistair Grange, director of EY’s Cyber Assurance team, adds that clients are increasingly shifting from point-in-time self-assessments to continuous and independently verifiable approaches using threat intelligence feeds and shared evidence platforms.

“On specifics, for a tool like MUSE, I’d be asking the vendor to demonstrate tenant isolation and break-glass procedures, prove they have immutable/offline backups, guarantee real-time telemetry access (SIEM/XDR), and provide details of their approach to patching and hardening, including what gets auto-applied versus waiting for a maintenance window,” he adds.

Testing is critical

Axians UK’s Martin argues that resilience planning often fails because it relies on SLAs and contracts that assume preventative or recovery measures will work as intended.

“Too often, backups haven’t been tested, cyber defences haven’t been properly challenged through robust penetration testing, fallback processes aren’t rehearsed often enough, or supplier contingency plans exist only on paper,” he tells Assured Intelligence. “The only way to build confidence is through relentless testing and training: exercising crisis scenarios, running technical failovers, and probing security measures through penetration tests that go beyond external interfaces to include backup systems and critical components such as Active Directory.”

Partners must share the risk

Martin argues that a “mindset and culture shift” is also critical to building resilience for an event like this one.

“Resilience cannot be achieved in isolation. Modern enterprises depend on webs of critical suppliers and clients, meaning vulnerabilities and risks are often shared,” he adds. “Asking suppliers for evidence of their resilience programmes and how they assure their own supply chains is useful, but real confidence comes from working with them directly: joining crisis exercises, sitting in as a key-client advisor, and planning for key scenarios together.”

Too many organisations are worried that sharing their contingency plans signals unreliability, he claims. “In reality, the opposite is true: openness builds trust and makes plans viable in practice.”

NIS2 will take time to make an impact

In many ways, the disruption which is still impacting European airports is something that NIS2 was meant to tackle, by forcing CNI providers to improve their cyber resilience – especially in the supply chain. However, almost half of the EU’s 27 member states haven’t yet transposed the directive into domestic law, including Germany, says EY’s Grange.

“Even when it comes into force, NIS2 does not guarantee that events like this won’t happen in the future”

“Even those who have transposed are still getting their assurance regimes up and running, so we’re still very much in the ‘mobilisation’ phase for the directive at present,” he explains.

Even when it comes into force, NIS2 does not guarantee that events like this won’t happen in the future.

“Where things should shift, if implementation and assurance are done effectively, is the minimisation of impact on the public through enhanced organisational resilience,” he continues. “So incidents do occur, but CNI providers ‘bounce back’ more quickly and incidents like this one are limited to short delays, with small numbers of providers rather than wholesale flight cancellations across Europe.”

Incident response can be challenging across multiple sites

As evidenced by the insight from researcher Beaumont, Collins Aerospace has been struggling to help its clients recover from the incident. But EY’s Grange offers some words of consolation for the firm.

“Running IR across multiple sites ramps up the difficulty as it requires coordinating forensics, containment, and staged restoration while preserving evidence and avoiding reinfection,” he explains. “It is more challenging still in a scenario like this one, where the different sites are located across national boundaries and the regulatory environment changes.”

An “unusual” incident

Cyber attacks in the aviation sector have increased by 600% over the past year, according to Thales. But few have had such a major impact in the physical world as this one. For aviation companies and other providers in CNI sectors, there’s plenty to absorb.

Researcher Beaumont wrote on social media that the disruption was not the result of a systemic failure. “It’s an extremely unusual incident and essentially involves lax cybersecurity and confused response,” he claimed.

The key for those boards will be to ensure their suppliers don’t make the same mistakes.