A coordinated cyber strike hobbles check‑in systems at London, Brussels and Berlin, exposing Europe’s aviation weak spots

Europe woke up to a familiar but still unsettling scenario on Saturday: long queues snaking across terminal halls, departure boards freckled with delays, and staff dragging keyboards and printers onto counters as airlines reverted to manual operations. A cyberattack on the MUSE passenger‑processing platform from Collins Aerospace—a subsidiary of RTX—disrupted check‑in, boarding, and baggage drop at major European gateways, including London’s Heathrow, Brussels Airport, and Berlin Brandenburg. By midday, hundreds of flights were delayed and a smaller but mounting number canceled. The incident did not affect air traffic control or flight safety systems, officials stressed, yet it was enough to throw the continent’s busiest travel corridors off balance.

As operators throttled back to clipboards and handwritten bag tags, the ripple effects grew. Brussels reported the heaviest early impact, warning of ongoing cancellations and advising airlines to trim schedules to help clear backlogs. Heathrow cautioned passengers to confirm status before leaving home. Berlin said it cut connections to compromised systems as a precaution while ground handlers switched workflows. Airlines, from European low‑cost carriers to transatlantic operators, stood up contingency plans—prioritizing long‑haul departures and rebooking short‑haul passengers where possible. The result was familiar pandemic‑era triage without the public‑health context.

Investigators are still piecing together what happened and who did it. The working picture, according to cybersecurity officials who spoke on background, is that attackers penetrated or disabled a layer of the distributed check‑in environment—software designed precisely to be resilient because it is shared by many airlines and airports. Collins confirmed a “cyber‑related disruption” to its MUSE software at select airports and said restoration was underway. The European Commission reinforced that aviation safety remained intact. National cyber agencies opened inquiries, sharing indicators of compromise across member states and the U.K.

Attribution, as so often in cyberspace, is contested terrain. No group has credibly claimed responsibility. Ransom notes have not surfaced publicly. Forensic breadcrumbs—in the form of command‑and‑control infrastructure, malware signatures, or time‑zone‑coded developer artifacts—may take days to resolve, and could still point to a false flag. Yet European intelligence officials say the tradecraft echoes prior “hybrid” campaigns tied to Russian military and intelligence services: targeted disruption of civil infrastructure, deniable enough to avoid immediate escalation but visible enough to transmit a message. Since 2015, the Kremlin’s cyber units and aligned proxies have been accused of everything from blackouts in Ukraine to destructive wiper attacks like NotPetya that ricocheted through global supply chains.

This weekend’s attack was not destructive in the same way—no servers were reportedly bricked, no permanent data loss disclosed. Instead, it hit where modern aviation is most exposed: the operational plumbing that stitches together dozens of vendors. Booking engines, departure control, baggage sortation, identity verification, payments, and airline apps all depend on a lattice of third‑party services. The more standardized those layers become, the more efficient day‑to‑day operations are—and the richer the single points of failure appear to adversaries. In this case, striking the common passenger‑processing layer forced airports into the digital equivalent of single‑lane traffic, at scale.

Brussels was first to acknowledge the blow publicly, citing a ‘large impact’ and a switch to manual procedures. Heathrow, Europe’s busiest international hub, said queues and delays were likely for much of the day and cautioned of some cancellations as airline rosters were re‑sequenced. Berlin reported cutting connections to a service provider after detecting the attack and warned of knock‑on delays. By evening, many operations were recovering, but airlines warned residual disruption could persist for at least one more schedule cycle as aircraft and crews ended up in the wrong places.

For passengers, the experience felt both 20th‑century and 21st‑century at once: staff with pens and paper, and phones buzzing with push alerts about gate changes and rebookings. Social media filled with anecdotes of families separated across queues, wheelchair assistance delayed, and bag‑drop machines roped off like museum pieces. Many travelers learned more from airline apps than from airport announcements, a reminder that communications architectures can be as brittle as the systems they sit atop.

The political conversation moved quickly. In London, ministers called briefings with the National Cyber Security Centre and the Department for Transport. In Brussels, officials huddled with the Computer Security Incident Response Team and civil aviation authorities. Germany’s Interior Ministry said it was coordinating with state‑level cyber units and airport police. None named a culprit, but several pointed to a pattern of ‘hybrid interference’ that blends cyber operations, disinformation, and pressure on critical infrastructure to test Europe’s response thresholds without tripping them.

If Moscow is behind the incident—as some security officials privately suspect—what would the motive be? Analysts sketch three overlapping hypotheses. First, punitive signaling: a reminder that Europe’s support for Ukraine carries costs beyond defense budgets. Second, reconnaissance: an opportunity to map response playbooks and vendor dependencies in near‑real conditions. Third, economic friction: even moderate disruption to hub airports exacts real costs on airlines and cargo shippers, with downstream effects on supply chains already stressed by energy and logistics volatility. Each motive is deniable; all three align with Russia’s established doctrine of strategic ambiguity in the cyber domain.

Airlines and airports, for their part, will use this as a forcing function. Executives have long worried about concentration risk among critical vendors, yet economies of scale keep pulling the industry toward common platforms. Expect a new push for contractual ‘cyber‑SLA’ clauses that define not just uptime but incident communication windows, forensic access for independent assessors, and joint red‑team exercises across airport ecosystems. Regulators, too, may dust off draft rules that treat airline IT providers as critical infrastructure, extending security and reporting obligations more familiar to energy or finance.

There are practical lessons from the day, many of them unglamorous. Manual fallback drills—muscle memory that atrophies without practice—proved their worth. Airports with pre‑staged paper stock and extra printer spares pivoted faster. Carriers that trained cabin crews to issue provisional boarding passes reduced choke points at counters. Baggage‑handling contractors that rehearsed ‘hold all bags until reconciled’ protocols avoided having to offload aircraft after doors closed. None of this prevents an attack; all of it limits the damage window.

Industry veterans also point to architectural shifts with outsized payoff. Stronger segmentation between airport networks and shared vendor platforms, more aggressive use of hardware security keys for privileged access, and broader adoption of verifiable ‘clean rooms’ for system restores can shave hours off recovery. So can tabletop exercises that include law enforcement and border control, whose checkpoints can become unexpected bottlenecks when departure control systems hiccup. After years of investing heavily in biometric gates and self‑service kiosks, some operators may rethink the balance between automation and human‑in‑the‑loop resilience.

The broader geopolitical story is familiar: a contest of endurance between Europe and Moscow that ranges from artillery and drones on Ukraine’s front lines to sabotage campaigns and gray‑zone cyber operations farther afield. Airports are particularly attractive pressure points because they concentrate people, capital, and political attention. Sabotage that does not break airplanes but strands passengers can be framed as nuisance rather than act of war—yet it still extracts a price in public patience and confidence.

By late Saturday, most airports reported gradual normalization, though airlines warned of lingering mismatches between aircraft and crew duty limits into Sunday. Brussels pressed carriers to thin schedules to help operations reset. Heathrow’s departure punctuality improved through the evening as manual check‑ins sped up and some systems came back online. Berlin kept contingency procedures in place. Investigators will now chase logs and malware samples, hunting for signatures that rise above the noise of a vendor’s global footprint.

In the coming days, expect familiar claims and counter‑claims. Russia will deny involvement. Western officials will hedge, pending forensics, even as they circulate advisories warning other sectors—rail, ports, hospitals—to harden external interfaces and prepare for copycats. Insurers will re‑examine cyber exclusions in airline policies. And travelers will again discover how quickly the convenience of seamless digital journeys can become a liability when a single shared component falters.

Europe’s restraint in the face of such incidents is strategic—but not infinite. If investigators tie the attack to a state actor, policymakers could escalate with targeted sanctions on individuals and entities in the cyber ecosystem, coordinated law‑enforcement actions against infrastructure, and quiet counter‑measures in kind. Absent smoking‑gun attribution, the most likely response is less cinematic but more durable: tightening the bolts on the systems that keep people moving. After this weekend, no CIO in European aviation will lack budgetary justification.

For the millions of passengers who will never read a forensic report, the yardstick is simple: how quickly could they check in, and did their bags arrive? On Saturday, the answer too often was ‘slowly’ and ‘eventually.’ That was enough to remind Europe that in modern conflict, the runway to disruption is measured less in missiles than in messages sent across the wire.

— Sources —

• Associated Press, Sept. 20–21, 2025 (cyberattack on check‑in systems impacting Brussels, Berlin, Heathrow)

• Reuters, Sept. 20–21, 2025 (Collins Aerospace MUSE disruption; delays and cancellations across Europe)

• The Guardian, Sept. 20, 2025 (Heathrow delays and cancellations; investigation status)

• Bloomberg, Sept. 20, 2025 (Heathrow and Berlin delays tied to technical/cyber issue at provider)

• Euronews / AP photo, Sept. 20, 2025 (Brussels disruption imagery and context)