Kevin BeaumontARINC SelfServ vMUSE devices are down in airports in EU, they do self service check in. They’re connected to navAviNet aka ARINC Ground Network, managed by Collins Aerospace, who are owned by RTX.
An attacker got onto to the shared network.
sdsykesRTX is Raytheon btw, a large cybersecurity provider. Looking into it.. but so far, looks like e-crime.
The systems impacted are in ARINC Multi-User System Environment (MUSE™) aka Rockwell Collins’ ARINC vMUSE™. This is like the corporate centipede of acquisitions!
Shodan dork if you wanna rubberneck:
org:"ARINC INCORPORATED"
6x AnyConnect VPN boxes offline
BBC good reporting on the ground impact
In theory it should be minimal but in practice airlines have automated many jobs so we’ll see.
The media are reporting this is impacting 3 airports, but it's actually more - the 3 airports are main transport hubs so building up backlogs (eg Heathrow is at 50% delayed flights now) but there's others, they're just smaller.
The most surprising element so far is ARINC didn't tell Heathrow it was cyber related for almost 15 hours.
If any journalists want a list of top impacted airports to check: https://infosec.exchange/@nieldk/115237394885804514
BBC have Dublin and Cork added.
PhreakByte (@[email protected])
@cirriustech @[email protected] here are the “top ten” airports using vMUSE. See any you recognize in Europe as listed in current incident ;) 1. London Heathrow (LHR) 2. Glasgow Airport (GLA) 3. Berlin Schönefeld (SXF) 4. Dublin Airport (DUB) 5. Cork Airport (ORK) 6. Cologne Bonn Airport (CGN) 7. Mazatlán International Airport (Mexico) 8. Zihuatanejo International Airport (Mexico) 9. Monterrey International Airport (Mexico) 10. Velana International Airport (Maldiverne)
ARINC collect passenger biometric data on vMUSE, which is the system which has been impacted (the user identity database in particular, hence why airline staff can't log in either).
Here’s where it began this time yesterday, before the whole thing tumbled off a cliff.
ARINC hope to have vMUSE back online shortly, they’re restoring their Windows environment from backup. Somebody got Domain Admin and totalled it.
ARINC are flying engineers out to airports to try to fix terminals.
Brussels airport, EBBR, have issued this NOTAM: “AD LTD DUE TO AN IT SYSTEM DISRUPTION. AIRLINES ARE TO CANCEL 50
PERCENT OF THEIR DEPARTING PASSENGER FLIGHTS IN THIS TIMEFRAME”
The ARINC incident continues https://www.bbc.co.uk/news/articles/cwy88857llno
Also for anybody interested, ARINC is where the cyber incident is.
ARINC were basically the OG airport network provider, from 1929. ARNIC were sold to Carlyle Group (private equity) in 2007, who sold them to Rockwell Collins in 2013, who sold to United Technologies in 2018, who merged to form Collins Aerospace. Their network looks a mess of US corporate shenanigans… webmail doesn’t even require https yet 😅
Worth noting that airplanes are incredibly safe and resilient after extensive regulation and open and transparent investigations of every air incident…
when you land on the ground, however, air travel is caught in the same cybersecurity bullshit every other industry is caught up in.
The incident continues https://www.bbc.co.uk/news/articles/cqjeej85452o
The ARINC incident is likely to continue through the week. They haven’t yet got the threat out of the network.
After ARINC restored domain controllers from backup, the threat actor got back in and started trashing more stuff. 🫡
The whole thing is a mess, they probably want to pause, take a breathe, and think about flushing out attacker before rebuilding things.
Simon Zerafa
abadidea@GossiTheDog someone sure is going for a felony count high score
Troed Sångberg@GossiTheDog Ouch. Imagine the enormous pressure to "just get it working!!!1" even though you don't know the vector used yet ...
This is probably one of the reasons why M&S and Co-op took a long time to get up and running again?
Understanding what's happened and how so it can be remediated.
Absolutely understandable that systems need to be up and running quickly but working and secured is far better 🫤
wall-e@GossiTheDog mhh maybe now they'll get permission to spend money on competent incident response 😬
The Long Tail@wall_e @GossiTheDog Ahahahahaha. Nope.
@GossiTheDog I like how “about half” is “the vast majority”
Even if it was fixed this minute and the worked perfectly immediately, the disruption will take days to recover to near normal 🫤
Ross Burton@GossiTheDog I bet that one guy at BA who insisted they keep the backup systems is feeling really smug about this!
F4GRX Sébastien@GossiTheDog software provider Collins Aerospace
they should have continued to do radios instead of software!
Steven Op de beeck@GossiTheDog until a door pops off mid flight.
Aaron Galbraithairplanes are incredibly safe in the context of how many variables there are, and compared to activities of similar variables.
The capitalization of airplane manufacturing is a fairly safe bet for capitalists, though increasingly less safe for everyone else.
Clemens ZaunerThe Pilots know exactly know what to do, follow their procedures for that incident (explosive cabin depressurisation) and land the plane safely. Give or take a few injuries and soiled passenger underwear.
Whereas in the airport-cyber incident obviously nobody has any idea what to do and absolute chaos has taken reign.
That's the key point: If you audit a 'cyber-security': just ask for their business continuity plan. And check if it requires 'Computers' to work. It the answer is yes: Insta-fail.
Don't even bother with pen-tests.
Shit happens, and however secure the systems are: there is a way. There is always a way, ander there will always be one.
Higher security just means, that a serious incident is less likely.
Matt Ellery@GossiTheDog I blogged about this a few months ago: https://mattellery.co.uk/posts/2025/07/19/towards-mandatory-blame-free-reporting-of-cyber-security-incidents/
(disclaimer that I'm not a cybersecurity expert, I know that there would be massive challenges to implement etc. etc.)
四@GossiTheDog @piepants But it won’t remain safe if the regulations and investigations go away. Few seem able to connect the dots there.
@GossiTheDog I guess you’re lucky if you’re sharing a flight with the engineers, because they won’t cancel those ones
Adrian Cockcroft@GossiTheDog We decided to take the train to London from Berlin rather than deal with the chaos. BA cancelled flight, proposed a Lufthansa flight via Frankfurt tomorrow as a substitute.
@GossiTheDog at least they had a backup lol
Wouter Hindriks@GossiTheDog
Gott im Himmel!
Gott im Himmel!
Chris Kletsch@Sikorsky78 @GossiTheDog nope, god's grounded as well...
Les@GossiTheDog Back to the future 🙂
Alexander Kknli@GossiTheDog 🙈 that GlassFish is definitely vulnerable to HashDoS (and probably a billion other things)
Henrik Kramselund - kramse 🍉
Brokar@GossiTheDog Jesus Christ! They're talking seriously about safety and security on airports?
How can anyone take these guys seriously after that?
How can anyone take these guys seriously after that?
VessOnSecurity@Brokar @GossiTheDog I'm sure the hackers were asked to take off their shoes before logging into the computers...
Gerbrand van Dieyen@Brokar @GossiTheDog a case of, if it is not broken, don't fix it (eg patch/update/upgrade).
@GossiTheDog More like 2014, no?
EndlessMason@GossiTheDog looks like it's got a year worth of vendor patches, so it's got that going for it, which is nice
Bernard Quatermass@GossiTheDog did nobody tell you to knock before opening strange doors? I’ve been trying change for ages and neither of us needs the trauma.
And some of us have been trying to forget the pain of having to parse AIRIMP type-b messages for decades.
Manuel 'HonkHase' Atug@GossiTheDog Their "cyber-related disruption" look like broken stuff from the past running online 🙄🤦♀️🤷♀️
Flüpke@HonkHase @GossiTheDog well, I thought that’s what “cyber-related disruption” means: Unscheduled maintenance of unmaintained infrastructure.
Adam Shostack 
@GossiTheDog I sure hope Europes privacy regulations limited how long they keep the data.
Alexander Bochmann@adamshostack Is baggage metadata attached to Passenger Name Records?
If yes, it's probably national security stuff, and exempt from most privacy regulation.
Chilly 
@GossiTheDog
My alibi is that I like airports
My alibi is that I like airports
Steve Loughran@GossiTheDog I'll remember this whenever drafting contracts "cybersecurity incidents must be disclosed as such immediately and our own/our designated cybersecurity team given full access"
Franchesca@stevel @GossiTheDog I thought this kind of reporting in infrastructure type industries was already required by law / regulators?
Maxime Thiebaut
SistaRayGerman media report:
Once there are flight delays or cancellations then aircraft and crew are out of place. This will have knock on effects later.
As you know with runny g GossiAir, running an airline is as much logistics as anything else 😁
8tpercent
Wendy Nather
Victoria Walberg@wendynather Good luck with travel to @brucon ! (if you're flying)