Heathrow Airport Cyberattack: What Happened, Who’s Affected, and What CISOs Should Know

[Update] October 22, 2025: Everest Group Claims Responsibility and Shares Alleged Proof of Collins Aerospace Breach 

[Update] September 23, 2025: BianLian Suspected in the Collins Aerospace Ransomware Attack

A major cybersecurity incident has disrupted flight operations across several European airports, including Heathrow. The root of the issue? A cyberattack on a third-party check-in system provider. This blog breaks down what’s known so far about the incident and explores the most pressing questions for CISOs and aviation cybersecurity professionals.

Q1: What occurred in the Heathrow incident, including scope and current operational status?

On the night of Friday, September 19, 2025, a cyberattack targeted Collins Aerospace’s Muse software, a cloud-based platform used for electronic check-ins and boarding. The attack brought check-in systems offline at several major airports, most notably Heathrow, Brussels, and Berlin.

Scope of impact:

• Passenger processing, baggage handling, and self-service kiosks were all disrupted.
• Airlines resorted to manual fallback procedures, leading to long queues and stranded passengers.
• As of Sunday, September 21, the disruption had entered a second day, though operations were slowly stabilizing. Heathrow reported delays under 45 minutes and 12 cancellations. No data breach was reported.

Q2: Which European airports were directly affected, and what was the geographic spread?

Primary impacts hit Heathrow (London, UK), Brussels (Belgium), and Berlin (Germany). These three saw the most severe disruptions, with 29 total cancellations across them by September 20 midday. No confirmed spread to other airports, though Collins serves broader Europe; limited to “select airports” per provider statement.

Q3: What is the detailed timeline of the incident from detection to recovery efforts?

A closer look at the incident timeline helps clarify how quickly the disruption unfolded:

• September 19 (Friday night): Cyberattack detected on Collins Aerospace systems, halting electronic check-ins.
• September 20 (Saturday): Full disruptions; hundreds of delays, 16+ cancellations (Brussels hardest hit), manual operations activated at Heathrow, Brussels, Berlin.
• September 21 (Sunday, ongoing): Recovery underway; delays persist but reduced. Heathrow warns of second-day issues; providers working on full restoration. No estimated full recovery time.

Q4: What is the root cause – internal company issue, third-party vulnerability, or broader IT failure?

This was not an internal Heathrow IT failure, nor was it due to a software update issue (unlike the July 2025 Crowdstrike outage). The root cause lies in a third-party vulnerability within Collins Aerospace’s (RTX subsidiary) cloud-based Muse software for check-ins.

The attack disrupted backend operations, forcing systems offline. It appears to be ransomware-style in nature, though specific details on the exploit remain unclear.

Q5: Which threat actor is confirmed responsible, or what are credible allegations with supporting reasons?

There’s no confirmed threat actor at this time. However, suspicions point toward Russian state-sponsored hackers, based on the sophistication of the attack and its timing – shortly after Collins Aerospace signed a defense deal with NATO.

A NATO-linked cybersecurity expert called the method “very clever,” reinforcing suspicions of a state-backed hybrid warfare effort amid Ukraine tensions. Other theories mention broader “cyber axis” (Russia, China, Iran, North Korea) testing infrastructure, but there’s no concrete evidence supporting those claims.

Update: BianLian Suspected in the Collins Aerospace Ransomware Attack

The airport disruptions were confirmed as the result of a ransomware attack, according to ENISA, which noted it has been monitoring the situation closely. Back in 2023, the BianLian ransomware group alleged it had stolen around 20 GB of data from the company, though Collins never confirmed that breach. With their name now resurfacing, speculation is growing that BianLian may be behind the current attack, though clear attribution remains unconfirmed.

Update: Everest Group Claims Responsibility and Shares Alleged Proof of Collins Aerospace Breach

A new development has emerged in the Collins Aerospace cyberattack story. The Everest ransomware claimed responsibility for the breach and also accused the company of knowingly shutting down its own servers on September 19, shortly before public reports of outages at Heathrow, Brussels, and Berlin airports.

The group alleged that the shutdown was a deliberate containment move and even suggested Collins Aerospace may have tried to “collect insurance money and shift blame for incompetence to a third party.” 

For more information about the threat group, visit SOCRadar’s Dark Web Profile: Everest Ransomware

What data and systems does Everest claim to have compromised?

Following these accusations, Everest claimed it had accessed the company’s Muse check-in infrastructure and exfiltrated over 50 GB of sensitive data, including more than 1.5 million passenger records and details from 3,600 airline employees.

According to screenshots and text shared by the group, the stolen information allegedly includes names, emails, operational documents, airline configurations, and SQL dumps. Everest’s post also referenced audit logs and workstation metadata tied to European air travel systems – data that, if genuine, could expose parts of the operational network behind airline check-in processes.

Everest’s listing claiming access to Collins Aerospace systems and passenger data (50GB+ dataset)

How did Everest allegedly gain access to the Muse platform?

The group described an insecure FTP server using default credentials as their entry point. Everest claimed its team accessed the server between September 10–11, downloaded documents, and later lost access after monitoring systems detected the activity.

Initial access details and FTP exploitation disclosed by Everest

What evidence has Everest presented to support its claims?

The attackers also shared proof of access, including screenshots of directories, file listings, and configuration notes allegedly tied to Collins Aerospace’s Muse environment. Their post detailed airline-related operational documents and passenger data samples, further suggesting deep access to aviation-linked systems.

In a QTox chat allegedly held with RTX representatives between September 16–17, Everest appeared to submit a list of compromised files and requested negotiation through RTX’s vulnerability disclosure portal. Shortly after these interactions, the group’s leak site briefly went offline, returning a “Fatal error” message, fueling speculation about a possible takedown or internal issue before later coming back online.

Everest’s QTox chat with an alleged RTX representative

Have these claims been verified or acknowledged?

While none of these claims have been verified, they align with the ongoing investigation into the airport disruptions and provide a clearer timeline of the alleged breach. Collins Aerospace and its parent company RTX have not confirmed any compromise, data exfiltration, or negotiation activity as of this writing.

Q6: Which software company bears primary responsibility, and has it issued any official statements or press releases?

On September 20, Collins Aerospace (Muse platform provider) issued a brief statement:

“We have become aware of a cyber-related disruption to our Muse software in select airports. We are actively working to resolve the issue and restore full functionality to our customers as quickly as possible. The impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations. We will share more details as they are available.”

Q7: How did the incident impact passengers and airline operations?

The disruption caused widespread chaos across major hubs:

• 29 flights canceled by September 20.
• Hundreds of delays, including flights from Heathrow to destinations like Lisbon, Paris, and Frankfurt.
• Airlines such as EasyJet shifted to manual boarding processes.
• Baggage delays were reported, but cargo logistics remained unaffected.
• While the exact economic cost is unquantified, past incidents suggest losses of around $10 million per day per major airport.

Q8: What is the official response from governments, regulators, or Heathrow leadership?

• Heathrow Airport activated contingency protocols and advised passengers to check flight statuses.
• The UK government and NCSC are monitoring but have not released formal statements. The Prime Minister is reportedly being urged to investigate Russian links.
• The EU’s cybersecurity agency ENISA is coordinating responses, and Brussels has activated its crisis team.
• No official sanctions or alerts have been issued yet.

Q9: How does this compare to similar past aviation cyber incidents, and what unique lessons apply?

This incident bears resemblance to the 2024 Kyiv airport ransomware attack (48 hours outage) and the 2023 Delta Airlines outage (caused by a vendor fault). What makes the Heathrow incident unique is that the attacked vendor was a defense contractor tied to NATO.

State-aligned threat actors are targeting logistics – not for data theft, but for disruption. The aviation sector must now treat supply chain cybersecurity as a strategic defense priority.

The Heathrow attack illustrates how supply chain dependencies can become a single point of failure. When a vendor is compromised, entire sectors may feel the impact.

With SOCRadar XTI, you can monitor both your digital footprint and your supply chain. The Supply Chain Intelligence module helps you spot weaknesses, track third-party risks, and anticipate disruptions before they escalate.

Q10: What immediate and long-term action items should other airport CISOs implement to mitigate similar risks?

Immediate Actions

• Audit third-party vendors, especially those handling check-in and boarding systems.
• Test manual fallback protocols at least quarterly.
• Enable real-time anomaly detection for cloud-based systems.

Short-Term (1–3 Months)

• Conduct penetration testing of passenger-facing systems.
• Enforce multi-factor authentication (MFA) and zero-trust policies for all API connections.

Long-Term Strategies

• Diversify critical vendors to avoid operational bottlenecks.
• Adopt AI-driven threat hunting tools.
• Participate in EU-wide threat intelligence sharing, like through ENISA.
• Ensure staff are trained in incident response.
• Review cyber insurance for coverage against third-party outages.
• Set vendor caps so no single provider manages more than 20% of operational processes.