When the Skies Go Dark: The European Airport Cyberattack and the Fall of Scattered Spider

Breached Company

Breached Company

10 min read
When the Skies Go Dark: The European Airport Cyberattack and the Fall of Scattered Spider
Photo by Nick Page / Unsplash

A ransomware attack on a single aviation software provider brought Europe's busiest airports to their knees, while law enforcement closed in on one of the world's most notorious hacking groups. Here's what happened, why it matters, and what comes next.

The Attack That Grounded Europe

It started with a whisper in the digital darkness. Late on Friday night, September 19, 2025, something went catastrophically wrong with Collins Aerospace's MUSE (Multi-User System Environment) software—a critical backbone system that powers check-in and boarding operations at over 150 airports worldwide.

By Saturday morning, the chaos was impossible to ignore. London Heathrow, Europe's busiest airport, had reverted to manual check-in procedures. Brussels Airport faced what officials described as a "large impact" on flight schedules. Berlin's Brandenburg Airport scrambled to disconnect affected systems. Passengers found themselves in hours-long queues as airline staff frantically wrote baggage tags by hand—a scene that felt transported from decades past.

"They had to write our baggage tabs by hand," Maria Casey, a traveler at Heathrow's Terminal 4, told reporters after spending three hours in line. "Only two desks were staffed, which is why we were cheesed off."

What made this attack particularly devastating wasn't just its immediate impact—it was the cascading failure that exposed a fundamental vulnerability in modern aviation infrastructure.

The Single Point of Failure

Collins Aerospace's MUSE system represents everything efficient about modern air travel, and everything fragile. The platform allows multiple airlines to share check-in desks and boarding gates at airports worldwide, dramatically reducing infrastructure costs and improving operational flexibility. It's a marvel of logistics optimization.

It's also, as this attack proved, a single point of catastrophic failure.

According to analysis from the European Union Aviation Safety Agency, approximately 70% of EU airports rely on third-party common-use systems like MUSE for 95% of passenger touchpoints. When MUSE went down, it didn't just affect one airline or one airport—it rippled across an entire continent's air travel infrastructure simultaneously.

"This is a very clever cyberattack indeed because it's affected a number of airlines and airports at the same time," travel analyst Paul Charles explained. "They've got into the core system that enables airlines to effectively check in many of their passengers at different desks at different airports around Europe."

Brussels Airport bore the brunt of the disruption. By Sunday, the airport was still requesting airlines cancel half of Monday's scheduled departing flights as Collins Aerospace struggled to deliver a secure updated version of the software. The recovery stretched into the following week, with manual check-in procedures using laptops and iPads becoming the temporary norm.

RTX, Collins Aerospace's parent company, acknowledged the "cyber-related disruption" but provided limited details. What eventually emerged was more concerning: the European Union Agency for Cybersecurity classified the incident as a ransomware operation, part of a 600% surge in sector-targeted attacks from 2024 to 2025.

By Tuesday evening, British authorities had made an arrest—a man in his forties from West Sussex, charged under the Computer Misuse Act. The investigation continues, but the damage was done: the attack had exposed just how vulnerable our interconnected transportation infrastructure has become.

The Scattered Spider Web

While Europe's airports struggled to recover, law enforcement agencies on both sides of the Atlantic were closing in on one of the most prolific and destructive cybercriminal organizations of the past several years: Scattered Spider.

On September 16, 2025, UK authorities arrested two individuals whose alleged activities read like a catalog of the cybersecurity industry's worst nightmares. Thalha Jubair, a 19-year-old from London known online as "EarthtoStar," and Tyler Buchanan (also called "Tyler Flowers"), stood accused of orchestrating some of the most damaging cyberattacks in recent memory.

The numbers alone are staggering. According to the U.S. Department of Justice complaint unsealed against Jubair, he and his co-conspirators were linked to at least 120 computer network intrusions affecting 47 U.S. entities between May 2022 and September 2025. Victims paid an estimated $115 million in ransom payments.

But the raw figures don't capture the scope of disruption. Scattered Spider's alleged victims include:

  • MGM Resorts and Caesars Entertainment - The September 2023 Las Vegas casino attacks that became a watershed moment in ransomware history
  • Marks & Spencer - A devastating Easter 2025 attack that disabled online shopping for six weeks and significantly impacted annual profits
  • Harrods - The luxury London retailer
  • SSM Health Care Corporation and Sutter Health - Critical healthcare infrastructure
  • The U.S. federal court system - Attacks in October 2024 and January 2025 that targeted the judiciary itself

The Social Engineering Masters

What made Scattered Spider particularly dangerous wasn't just technical sophistication—it was their mastery of social engineering. The group became infamous for impersonating employees or contractors to gain access to corporate IT systems, often calling help desks and convincing support staff to reset credentials or provide access.

"Scattered Spider is particularly adept at social engineering techniques," noted industry analysts tracking the group. They didn't need to find zero-day exploits or crack sophisticated encryption when they could simply talk their way in.

The group's tactics evolved over time. Prosecutors allege that Jubair and his associates would gain unauthorized access to company networks, steal and encrypt data, then demand ransom payments in exchange for decryption keys and promises not to leak the stolen information. It's a double-extortion model that has become increasingly common but was executed with unusual effectiveness by Scattered Spider.

A Teenager's Digital Empire

Perhaps most unsettling is Jubair's age. At just 19 years old when arrested, he had allegedly been operating as a significant cybercriminal for years. According to court documents and cybersecurity researchers tracking the group, Jubair used multiple aliases over time: "Clark," "Miku," "Brad," "Austin," "@autistic," and most recently "Operator."

Under the "Operator" handle, researchers believe Jubair ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. The operation demonstrated both technical capability and entrepreneurial spirit—traits that, channeled legally, could have made him a cybersecurity asset rather than a threat.

"The core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18," explained Allison Nixon, chief research officer at Unit 221B and one of the world's leading experts on this type of cybercrime community. "In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them."

This waiting game allows young hackers to amass significant criminal records before facing adult consequences—a pattern that Jubair's case exemplifies.

Read more about Scattered Spider prosecutions in our article: First Scattered Spider Member Sentenced: Noah Urban Gets 10 Years.

The Broader Context: 2025's Cybersecurity Crisis

The European airport attack and Scattered Spider arrests didn't happen in isolation. They're data points in a year that has seen cybersecurity threats escalate to unprecedented levels.

A Year of Breaches

2025 has witnessed some of the largest and most consequential data breaches in history:

  • TransUnion (July 2025) - A third-party application compromise exposed personal information of 4.46 million individuals, including Social Security numbers, dates of birth, and contact information.
  • Bybit cryptocurrency exchange (February 2025) - North Korea's Lazarus Group executed one of the largest cryptocurrency thefts in history, stealing over $1.46 billion in Ethereum by compromising a supplier and secretly altering a digital wallet address.
  • Jaguar Land Rover (August-September 2025) - Production halted for weeks at multiple plants outside China, affecting thousands of suppliers and demonstrating how cyberattacks can cascade through supply chains.
  • United Natural Foods Inc. (June 2025) - The major U.S. grocery wholesaler and primary distributor for Whole Foods suffered an attack that crippled electronic ordering systems, causing notable grocery shortages across North America.

The Numbers Tell the Story

According to recent industry analysis, cyberattacks have surged globally:

  • Weekly attacks per organization have more than doubled over the past four years, from 818 in Q2 2021 to 1,984 in Q2 2025
  • In just the last two years, the global average number of weekly attacks grew by 58%
  • Cyberattacks on critical infrastructure increased 600% from 2024 to 2025
  • Small businesses are particularly vulnerable, with seven times more organizations reporting insufficient cyber resilience compared to 2022

Yet despite escalating threats, cybersecurity budgets are stalling. Industry analyst IANS reports that growth has slowed from 17% in 2022 to just 4% in 2025—a dangerous disconnect between threat levels and defensive investment.

Law Enforcement Fights Back

The arrests of Jubair and Buchanan represent more than just two individuals facing justice. They're part of a broader law enforcement offensive against cybercriminal networks.

Operation Serengeti 2.0

Between June and August 2025, INTERPOL coordinated one of the largest cybercrime crackdowns in history. Operation Serengeti 2.0 brought together investigators from 18 African countries and the United Kingdom, resulting in:

  • 1,209 arrests across multiple countries
  • $97.4 million seized
  • 11,432 malicious infrastructures dismantled
  • 87,858 victims' cases addressed

The operation targeted high-harm cybercrimes including ransomware, online scams, and business email compromise schemes. It followed previous successful operations like the original Operation Serengeti (September-October 2024, 1,006 arrests) and Operation Red Card (November 2024-February 2025, 306 arrests).

"Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries," said Valdecy Urquiza, Secretary General of Interpol.

The UK Takes a Hard Line

In July 2025, the United Kingdom implemented controversial new policies designed to remove financial incentives for ransomware attacks. The government banned public sector entities from paying ransoms to cybercriminal groups, with organizations considered part of critical infrastructure facing a complete prohibition.

UK victims of cyberattacks are now required to notify officials, providing policymakers with better data on the scale of Britain's ransomware problem. The policy has drawn both praise and criticism—supporters argue it removes profit motives from attacks, while critics worry it may lead to more destructive attacks when ransom payments aren't an option.

What This Means for the Future

The European airport attack and Scattered Spider arrests offer critical lessons for organizations, policymakers, and security professionals.

1. Third-Party Risk Is First-Party Risk

The MUSE system attack demonstrates that your security is only as strong as your weakest vendor. When Collins Aerospace's systems were compromised, dozens of airports and hundreds of flights were affected. Organizations must:

  • Conduct thorough security assessments of critical vendors
  • Require vendors to maintain robust security programs
  • Develop contingency plans for vendor system failures
  • Consider diversification to avoid single points of failure

2. Manual Backups Still Matter

When digital systems failed, European airports reverted to handwritten baggage tags and manual check-in procedures. While inefficient, these analog backups prevented complete operational collapse. Critical infrastructure should maintain manual fallback procedures for essential functions.

Scattered Spider's success relied heavily on social engineering rather than sophisticated technical exploits. As one former Philippine government official noted: "Cybersecurity is not a technical skill but a life skill."

Organizations need to:

  • Implement robust identity verification procedures
  • Train staff to recognize social engineering attempts
  • Create clear escalation procedures for unusual access requests
  • Foster a security-conscious culture at all levels

Learn more about defending against evolving tactics in our analysis: The New Reality: When Ransomware Fights Back.

4. Age Is No Barrier to Sophistication

The involvement of teenage hackers in sophisticated, damaging attacks challenges assumptions about cybercrime. Youth doesn't equal lack of capability. Organizations must take threats seriously regardless of attacker age or location.

5. International Cooperation Is Essential

The successful arrests and operations of 2025 demonstrate what's possible when law enforcement agencies coordinate across borders. Cybercrime is inherently international—the response must be too.

The Aviation Sector's Reckoning

For the aviation industry specifically, the MUSE attack represents a wake-up call that can't be ignored.

Charlotte Wilson, head of enterprise at cybersecurity firm Check Point, explained the unique vulnerabilities: "These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once. When one vendor is compromised, the ripple effect can be immediate and far-reaching, causing widespread disruption across borders."

Aviation experts recommend a layered approach to resilience:

  • Rigorous patching and updating to close vulnerabilities before attackers find them
  • Continuous monitoring for unusual activity that could indicate intrusion attempts
  • Clear, well-tested backup systems that ensure operations can continue even if critical digital tools are compromised
  • Information sharing between governments, airlines, and technology providers

"Cyberattacks rarely stop at national borders, so the faster one country can identify and report an attack, the faster others can take action to contain it," Wilson noted.

But as she warned: "Cybercriminals are exploiting every weak link in this highly connected ecosystem. Unless the sector treats cybersecurity as a matter of operational continuity and passenger safety, not just IT, the risk of large-scale disruption will continue to rise."

Looking Ahead: An Uncertain Sky

As Brussels Airport gradually restored normal operations and Jubair and Buchanan faced legal proceedings, the cybersecurity community was left to process the implications of September 2025's events.

The European airport attack won't be the last of its kind. As transportation, energy, healthcare, and financial systems become increasingly interconnected and dependent on shared digital infrastructure, the potential for cascading failures grows. A single compromise can ripple across industries and continents.

The Scattered Spider arrests offer hope that even sophisticated cybercriminal organizations can be disrupted. But for every hacker apprehended, others remain active. The group's tactics—particularly their social engineering expertise—will be studied and replicated by other criminal organizations.

For insights into how Scattered Spider has evolved its targeting strategy, read: Scattered Spider Pivots to Insurance Sector.

Perhaps most concerning is the financial equation. With cybersecurity budgets growing at just 4% while attacks surge by 58%, many organizations are falling further behind. The math doesn't work. As one cybersecurity expert put it: "We're trying to build a dam with a bucket while the flood keeps rising."

The arrests, the attacks, and the ongoing investigations of September 2025 have made one thing abundantly clear: cybersecurity is no longer a technical concern confined to IT departments. It's a fundamental operational issue that affects whether planes can take off, whether hospitals can care for patients, whether companies can do business.

When the skies go dark—whether from ransomware, social engineering, or supply chain compromise—we're all grounded together.

Key Takeaways

The Collins Aerospace MUSE attack affected multiple major European airports simultaneously by compromising shared check-in infrastructure

Scattered Spider members Thalha Jubair and Tyler Buchanan were arrested in connection with 120+ network intrusions and $115 million in ransom payments

Third-party systems create cascading vulnerabilities when a single vendor compromise affects dozens of downstream organizations

International law enforcement cooperation is showing results, with Operation Serengeti 2.0 alone resulting in 1,209 arrests

The gap between threats and defenses is widening as cyberattack frequency surges while security budget growth stalls

For the latest updates on cybersecurity incidents, data breaches, and threat intelligence, stay tuned to breached.company.

About the Author: This analysis was compiled from public reports, law enforcement announcements, and industry expert commentary on the September 2025 incidents.

Sources: U.S. Department of Justice, INTERPOL, European Union Aviation Safety Agency, Collins Aerospace/RTX, various airport authorities, cybersecurity firms and researchers.

Scattered Spider Coverage:

Retail & UK Attacks:

Aviation & Infrastructure:

Casino & Major Breaches:

Ransomware Analysis:

Read more