Kevin BeaumontARINC SelfServ vMUSE devices are down in airports in EU, they do self service check in. They’re connected to navAviNet aka ARINC Ground Network, managed by Collins Aerospace, who are owned by RTX.
An attacker got onto to the shared network.
RTX is Raytheon btw, a large cybersecurity provider. Looking into it.. but so far, looks like e-crime.
The systems impacted are in ARINC Multi-User System Environment (MUSE™) aka Rockwell Collins’ ARINC vMUSE™. This is like the corporate centipede of acquisitions!
Shodan dork if you wanna rubberneck:
org:"ARINC INCORPORATED"
6x AnyConnect VPN boxes offline
BBC good reporting on the ground impact
In theory it should be minimal but in practice airlines have automated many jobs so we’ll see.
The media are reporting this is impacting 3 airports, but it's actually more - the 3 airports are main transport hubs so building up backlogs (eg Heathrow is at 50% delayed flights now) but there's others, they're just smaller.
The most surprising element so far is ARINC didn't tell Heathrow it was cyber related for almost 15 hours.
If any journalists want a list of top impacted airports to check: https://infosec.exchange/@nieldk/115237394885804514
BBC have Dublin and Cork added.
PhreakByte (@nieldk@infosec.exchange)
@cirriustech @GossiTheDog@cyberplace.social here are the “top ten” airports using vMUSE. See any you recognize in Europe as listed in current incident ;) 1. London Heathrow (LHR) 2. Glasgow Airport (GLA) 3. Berlin Schönefeld (SXF) 4. Dublin Airport (DUB) 5. Cork Airport (ORK) 6. Cologne Bonn Airport (CGN) 7. Mazatlán International Airport (Mexico) 8. Zihuatanejo International Airport (Mexico) 9. Monterrey International Airport (Mexico) 10. Velana International Airport (Maldiverne)
ARINC collect passenger biometric data on vMUSE, which is the system which has been impacted (the user identity database in particular, hence why airline staff can't log in either).
Here’s where it began this time yesterday, before the whole thing tumbled off a cliff.
ARINC hope to have vMUSE back online shortly, they’re restoring their Windows environment from backup. Somebody got Domain Admin and totalled it.
ARINC are flying engineers out to airports to try to fix terminals.
Brussels airport, EBBR, have issued this NOTAM: “AD LTD DUE TO AN IT SYSTEM DISRUPTION. AIRLINES ARE TO CANCEL 50
PERCENT OF THEIR DEPARTING PASSENGER FLIGHTS IN THIS TIMEFRAME”
The ARINC incident continues https://www.bbc.co.uk/news/articles/cwy88857llno
Also for anybody interested, ARINC is where the cyber incident is.
ARINC were basically the OG airport network provider, from 1929. ARNIC were sold to Carlyle Group (private equity) in 2007, who sold them to Rockwell Collins in 2013, who sold to United Technologies in 2018, who merged to form Collins Aerospace. Their network looks a mess of US corporate shenanigans… webmail doesn’t even require https yet 😅
Worth noting that airplanes are incredibly safe and resilient after extensive regulation and open and transparent investigations of every air incident…
when you land on the ground, however, air travel is caught in the same cybersecurity bullshit every other industry is caught up in.
The incident continues https://www.bbc.co.uk/news/articles/cqjeej85452o
The ARINC incident is likely to continue through the week. They haven’t yet got the threat out of the network.
After ARINC restored domain controllers from backup, the threat actor got back in and started trashing more stuff. 🫡
The whole thing is a mess, they probably want to pause, take a breathe, and think about flushing out attacker before rebuilding things.
The airport thing is still rumbling on, terminals haven’t been restored by ARINC, it’s just disappeared from headlines as the media got bored.
Berlin Airport ran at 70% delays yesterday
I’ve confirmed today that Heathrow, Berlin and Dublin all still have no Muse terminals restored. I haven’t checked other airports. It’s even more complicated because Muse both processes and stores biometrics of passengers.
"Before we reconnect our system, we must be 100% sure that there are no malware programmes left," the BER spokesman said.
The Muse systems at impacted airports will likely be down the rest of the week. Airlines are being advised to continue contingency measures.
Heathrow is at 80% flight delays, Brussels 79%, Dublin 74%, Berlin 84% - all are vMuse. London City isn't on vMuse, they're at 33% as a point of comparison.
The Europe airlines ransomware situation is a variant of Hardbit ransomware, which doesn’t have a portal and is incredibly basic.
They’ve had to restart recovery again as the devices keep getting reinfected. I’ve never seen an incident like it. Somebody like the NCSC needs to go in and help them with IR.
Look at Dublin airport, reporters starting to realise it never actually got fixed 😅
https://www.thejournal.ie/dublin-airport-issues-timeline-fix-6824817-Sep2025/
Luis León Cárdenas GraideDelays at airports continue today. ARINC/Collins have been unable to tell impacted airports when services will resume. https://www.vienna.at/after-cyberattack-continued-disruptions-at-berlin-airport/9691694
Flight delays today:
Heathrow 78%
Brussels 79%
Dublin 68%
Berlin 86%
All are vMuse. London City isn't on vMuse, they're at 35% as a point of comparison.
Heathrow PR statement: "Collins Aerospace has confirmed an IT issue with the systems that it supplies to a number of airlines across Europe. We are supporting affected airlines with their contingencies and have deployed additional colleagues in terminals to assist passengers."
40 year old man arrested in connection to airport cybersecurity incident https://www.bbc.co.uk/news/articles/c62ldxyj431o
NPR and PBS have somehow managed to run a completely bollocks article linking the EU airport thing to AI - the article itself written by an AI cybersecurity vendor. https://www.wgcu.org/science-tech/2025-09-23/detection-expert-says-hackers-likely-used-ai-to-penetrate-airport-system
It's completely false. The payloads used in this one are detected by free Defender AV with a decade old static AV detections. This is not some cyber mega attack by a ransomware group: it's extremely poor security hygiene.
RTX, the owner of Collins aka ARINC, finally filed an 8K with the SEC for a ransomware incident. https://www.sec.gov/Archives/edgar/data/101829/000010182925000036/rtx-20250919.htm?7194ef805fa2d04b0f7e8c9521f97343
If your board is concerned about the EU ransomware thing - there is no need to be concerned. It is not a wider issue.
It wouldn't surprise me if the person arrested turns out to be an employee trying to do incident response or some such (I'm not saying they're guilty, at all).
It's an extremely unusual incident and essentially involves lax cybersecurity and confused response.
ARINC/Collins have been unable to restore the systems in Brussels airport so they are ripping out and replacing everything.
HT @0xThiebaut
There’s a bit more info here: https://www.aviation24.be/airports/brussels-airport-bru/accelerate-rollout-of-new-check-in-system-after-cyberattack-on-collins-aerospace-software/
They will keep cancelling 10% of flights each day for the foreseeable future.
Flight delays today:
Heathrow 90%
Brussels 89%
Dublin 84%
Berlin 86%
All are vMuse. London City isn't on vMuse, they're at 33% as a point of comparison.
In terms of recovery:
- Heathrow going nowhere, manual workarounds to issue bag tags and boarding passes, airlines have been told to maintain continency measures until w/c October 6th
- Brussels Airport are manual workarounds to issue bag tags and boarding passes, and are ripping out all their vMuse terminals and Muse IT infrastructure and replacing them
- Dublin making progress to starting restoration
- Berlin manual workarounds to issue bag tags and boarding passes
Hambone Fakenamington@GossiTheDog I'm not sure that's a good metric / comparison. Do you have the stats from prior to the issues. The LHR delays seem to only be an average of 30 minutes, which may be BAU?
mkjIn other words, Brussels Airport and Collins Aerospace are *actually* doing a "nuke it from orbit, it's the only way to be sure".
Except in this case they were already planning to do it *anyway*, and they are basically just doing it maybe two months earlier than initially planned. I strongly suspect that this tipped the scale heavily toward "let's not spend too much time fixing the stuff we're retiring in a few weeks anyway".
Thea@mkj @GossiTheDog @0xThiebaut Sounds a lot like management wants to force the new system that isn't ready ahead to save the cost of recovery on the old system. Passengers pay the price.
Troxuklom@GossiTheDog @0xThiebaut what a gong show
Joost Rekveld@GossiTheDog @0xThiebaut wow, that's crazy !
Alan Miller 
🇺🇦@GossiTheDog @0xThiebaut my thought: this might actually take longer but be a *predictable* longer.
Maxime Thiebaut@fencepost @GossiTheDog Brussels announced they’ve migrated 1/3 of the workstations already: https://www.linkedin.com/posts/brussels-airport-company_update-cyber-incident-rollout-of-new-activity-7378479301844811776-E8yz
🚨 UPDATE CYBER INCIDENT - Rollout of new check-in system at Brussels Airport ongoing: one third of workstations already replaced Brussels Airport has started the accelerated rollout of its new… | Brussels Airport
🚨 UPDATE CYBER INCIDENT - Rollout of new check-in system at Brussels Airport ongoing: one third of workstations already replaced Brussels Airport has started the accelerated rollout of its new check-in and boarding system. One third of the 500 workstations have already been installed and configured. A dedicated team of around 20 IT experts is working around the clock to install, configure and test all equipment and software. From tomorrow, Tuesday 30 September, several flights will already be handled through the new system. The gradual transition of other airlines will follow in the coming days, depending on the results of this initial phase. In the meantime, alternative check-in systems remain fully operational to ensure continuity. Thanks to these alternative systems, the situation is under control and there have been no more flight cancellations related to the cyberattack. The airport community, in particular the airlines and handling companies, as well as all the staff involved, have shown exceptional commitment and resilience over the past ten days, allowing more than 700,000 passengers to take off or land at Brussels Airport despite the cyberattack. Brussels Airport would like to reiterate its sincere gratitude to them once again. We would also like to thank all our passengers for their understanding in these exceptional circumstances.
@GossiTheDog Brussels is reportedly ripping out and replacing affected hardware (new servers and est. 500 new endpoints). Unclear if they switched suppliers or whether they got upsold. https://archive.is/2025.09.24-160342/https://www.lesoir.be/700923/article/2025-09-24/cyberattaque-brussels-airport-un-nouveau-systeme-deploye-ce-lundi-avec-lespoir
Dr. Christopher Kunz@GossiTheDog I already read it. It's hilarious!
"Our customers have shifted to back-up or manual processes and have experienced certain flight delays and cancellations." yeah right, "certain" as in 80%.
"it has not had a material impact and is not reasonably expected to have a material impact, on the Company’s financial condition, business operations or results of operations."
If this doesn't have a material impact, who the hell negotiated those contracts without substantial penalties?
b3lt3r@GossiTheDog I'm sure all the airports operating with serious delays will be relieved to hear there's no material risk to business operations
ROTOPE~1 
@GossiTheDog there's an incident underway?
Matt Hall"Our leased platform was the tool they used to do it! In this article we'll show you how!"
🙄
Alexander The 1st@401matthall @GossiTheDog #FirstThought: Boeing: "Never forget - our planes were instrumental in the 9/11 Twin Towers attack - and we'll show you how*!
*MCAS tutorial not included"
Forbearance@GossiTheDog so you are saying the airport systems were so easy to hack that even an ai user could do it
Expertenkommision Cyberunfallwell AI already hacked the financial markets, so ....
Chilly 
🛡️ 
@GossiTheDog this is an NPR and PBS local station not the main sites obvi but I emailed them
Cary@chillybot @GossiTheDog Ya, seems to be from that one station, WGCU, not general NPR/PBS. I guess we are seeing the side-effects of stations seeking alternative funding sources...
vict0ni@GossiTheDog I don't think this is the correct reason they're wrong. The fact that the AV detection is/should be easy maybe indicates the use of AI, maybe the content it produced is based on old techniques. We know AI is not THAT advanced to produce brand new AV evasion techniques that easily.
Still, jumping to such a conclusion is bollocks indeed, I agree
fmobus@vict0ni @GossiTheDog I think you are reading the op wrong. The attack vector would have been detected _if the attacked system had basic AV protections using classic algorithms_.
Nothing was evaded with fancy new attacks powered by AI, it was a silly attack that only worked because the victims had poor security.
@vict0ni @GossiTheDog Having worked in the airline industry, it doesn't surprise me in the slightest. The only reason this isn't more frequent is that the systems are so arcane that would-be attackers don't want to deal with it.
@GossiTheDog Shocked, I am—feeling faint—that you could even *suggest* so fundamental a vulnerability was exploited. There’s no honour among thieves nowadays.
Dan 
@GossiTheDog I love how the article-length advertisement interviewed the by-line company's founder for "insights" about how important ai tools are to stop other ai tools. Pure, steaming bullshit.
Mike J👹🐀 🤘🏻@GossiTheDog I didn't see anything about on either PBS's or NPR's site. This was a local affiliate.
jorntw@GossiTheDog definitely smells like bs. But how would one know what the real payload was? Has there been a statement?
❄️☃️Merry Jerry🎄🌲@GossiTheDog it feels like a concerningly large amount of cyber security news is now produced by the marketing departments of various cyber security companies
Stefan Eissing@jerry @GossiTheDog Reminds me of the good, ol' times of (anti-)virus news.
Bernard Quatermass
pL@GossiTheDog you ever tried a "hack all airports plz" prompt?
vxo@pl @GossiTheDog the prompt injection was coming from... inside the house! nooooo!
(I'm just being silly, please treat this as a shitpost)
I can’t believe its not @twcau@GossiTheDog Because going to an AI expert on cybersecurity issues is responsible journalism
jeancf@twcau @GossiTheDog The journalist did not bother interviewing anybody, apparently she just read and stole parts of this article: https://www.wgcu.org/science-tech/2025-09-23/detection-expert-says-hackers-likely-used-ai-to-penetrate-airport-system which is written by some person at Undetectable AI...
Detection expert says hackers likely used AI to penetrate airport system
As major airports across Europe have been targeted in a cyber-attack that began on Saturday, an expert is warning that artificial intelligence may have played a key role in the breach.The incident, which disrupted check-in and baggage systems at hubs including Dublin, London, Brussels and Berlin, left thousands of passengers stranded with canceled or delayed flights.Christian Perry, CEO of Undetectable AI, AI detection experts, explained how AI is reshaping the way cyber-attacks unfold.
@jeancf That’s even worse. @GossiTheDog
Hayley Question-Mark@GossiTheDog Hammer salesman told me it was hammers.
Gordon Shumway@barrowofdirt @GossiTheDog do you need some nails? I sell them.
VessOnSecurity@barrowofdirt @GossiTheDog Well, he nailed it.
piofthings@GossiTheDog “Undetectable AI”… lol!
Claus Cramon Houmann@GossiTheDog Absolutely.
brentroady@GossiTheDog this reads so much better if you replace every instance of “AI” with “bullshit”
EaSi123
Negative Kelvin@GossiTheDog And only our product can cure your FUD.
Mike Morris@GossiTheDog The thing that puzzles me is how any person can actually say such a thing and *not* expect anyone to cry, "Bullshit!" Do they really think we're that dim? Do they so badly lack self-awareness that they cannot fathom just how transparent their bullshit is?
I guess the answers are yes and yes, but... #baffled
MikeStok@GossiTheDog @cstross I expect the “80% of hackers expect AI to take their jobs in 2 years” headlines will appear soon.
Ben Tasker@GossiTheDog According to Ben Tasker, manager of Ben Tasker's bank account, sending me $1000 can prevent cyber-attacks
^ basically the same thing but with different names
Julio J. 🀲> The only way to stop a bad guy with AI is with a good guy with AI.
Says guy who in a completely unrelated turn of events happens to sell AI.
Knud JahnkeIsn't it great that we're at the phase of the AI hype cycle that AI companies are trying to (sort of) take credit for major criminal attacks just to "prove" that AI works and is useful? Kinda.
Michael Graaf@knud Sort of a last-resort-of-scoundrels as by definition the claim is unlikely to be disproved, however ludicrous it is.
MarinaAs for the artificial intelligence that I know about, if it can be attacked at will by hackers, then what is the point of our researching, inventing and innovating artificial intelligence?
Emilio 💻📲@GossiTheDog good they caught him
