Kevin BeaumontARINC SelfServ vMUSE devices are down in airports in EU, they do self service check in. They’re connected to navAviNet aka ARINC Ground Network, managed by Collins Aerospace, who are owned by RTX.
An attacker got onto to the shared network.
RTX is Raytheon btw, a large cybersecurity provider. Looking into it.. but so far, looks like e-crime.
The systems impacted are in ARINC Multi-User System Environment (MUSE™) aka Rockwell Collins’ ARINC vMUSE™. This is like the corporate centipede of acquisitions!
Shodan dork if you wanna rubberneck:
org:"ARINC INCORPORATED"
6x AnyConnect VPN boxes offline
BBC good reporting on the ground impact
In theory it should be minimal but in practice airlines have automated many jobs so we’ll see.
The media are reporting this is impacting 3 airports, but it's actually more - the 3 airports are main transport hubs so building up backlogs (eg Heathrow is at 50% delayed flights now) but there's others, they're just smaller.
The most surprising element so far is ARINC didn't tell Heathrow it was cyber related for almost 15 hours.
If any journalists want a list of top impacted airports to check: https://infosec.exchange/@nieldk/115237394885804514
BBC have Dublin and Cork added.
PhreakByte (@nieldk@infosec.exchange)
@cirriustech @GossiTheDog@cyberplace.social here are the “top ten” airports using vMUSE. See any you recognize in Europe as listed in current incident ;) 1. London Heathrow (LHR) 2. Glasgow Airport (GLA) 3. Berlin Schönefeld (SXF) 4. Dublin Airport (DUB) 5. Cork Airport (ORK) 6. Cologne Bonn Airport (CGN) 7. Mazatlán International Airport (Mexico) 8. Zihuatanejo International Airport (Mexico) 9. Monterrey International Airport (Mexico) 10. Velana International Airport (Maldiverne)
ARINC collect passenger biometric data on vMUSE, which is the system which has been impacted (the user identity database in particular, hence why airline staff can't log in either).
Here’s where it began this time yesterday, before the whole thing tumbled off a cliff.
ARINC hope to have vMUSE back online shortly, they’re restoring their Windows environment from backup. Somebody got Domain Admin and totalled it.
ARINC are flying engineers out to airports to try to fix terminals.
Brussels airport, EBBR, have issued this NOTAM: “AD LTD DUE TO AN IT SYSTEM DISRUPTION. AIRLINES ARE TO CANCEL 50
PERCENT OF THEIR DEPARTING PASSENGER FLIGHTS IN THIS TIMEFRAME”
The ARINC incident continues https://www.bbc.co.uk/news/articles/cwy88857llno
Also for anybody interested, ARINC is where the cyber incident is.
ARINC were basically the OG airport network provider, from 1929. ARNIC were sold to Carlyle Group (private equity) in 2007, who sold them to Rockwell Collins in 2013, who sold to United Technologies in 2018, who merged to form Collins Aerospace. Their network looks a mess of US corporate shenanigans… webmail doesn’t even require https yet 😅
Worth noting that airplanes are incredibly safe and resilient after extensive regulation and open and transparent investigations of every air incident…
when you land on the ground, however, air travel is caught in the same cybersecurity bullshit every other industry is caught up in.
The incident continues https://www.bbc.co.uk/news/articles/cqjeej85452o
The ARINC incident is likely to continue through the week. They haven’t yet got the threat out of the network.
After ARINC restored domain controllers from backup, the threat actor got back in and started trashing more stuff. 🫡
The whole thing is a mess, they probably want to pause, take a breathe, and think about flushing out attacker before rebuilding things.
The airport thing is still rumbling on, terminals haven’t been restored by ARINC, it’s just disappeared from headlines as the media got bored.
Berlin Airport ran at 70% delays yesterday
I’ve confirmed today that Heathrow, Berlin and Dublin all still have no Muse terminals restored. I haven’t checked other airports. It’s even more complicated because Muse both processes and stores biometrics of passengers.
"Before we reconnect our system, we must be 100% sure that there are no malware programmes left," the BER spokesman said.
The Muse systems at impacted airports will likely be down the rest of the week. Airlines are being advised to continue contingency measures.
Heathrow is at 80% flight delays, Brussels 79%, Dublin 74%, Berlin 84% - all are vMuse. London City isn't on vMuse, they're at 33% as a point of comparison.
The Europe airlines ransomware situation is a variant of Hardbit ransomware, which doesn’t have a portal and is incredibly basic.
They’ve had to restart recovery again as the devices keep getting reinfected. I’ve never seen an incident like it. Somebody like the NCSC needs to go in and help them with IR.
Look at Dublin airport, reporters starting to realise it never actually got fixed 😅
https://www.thejournal.ie/dublin-airport-issues-timeline-fix-6824817-Sep2025/
Delays at airports continue today. ARINC/Collins have been unable to tell impacted airports when services will resume. https://www.vienna.at/after-cyberattack-continued-disruptions-at-berlin-airport/9691694
Flight delays today:
Heathrow 78%
Brussels 79%
Dublin 68%
Berlin 86%
All are vMuse. London City isn't on vMuse, they're at 35% as a point of comparison.
Heathrow PR statement: "Collins Aerospace has confirmed an IT issue with the systems that it supplies to a number of airlines across Europe. We are supporting affected airlines with their contingencies and have deployed additional colleagues in terminals to assist passengers."
40 year old man arrested in connection to airport cybersecurity incident https://www.bbc.co.uk/news/articles/c62ldxyj431o
Hayley Question-Mark@GossiTheDog Hammer salesman told me it was hammers.
Gordon Shumway@barrowofdirt @GossiTheDog do you need some nails? I sell them.
root