Disruption continued on Monday in European airports following a cyber-attack on Friday, which the EU’s cyber-security agency said involved ransomware that shut down automatic check-in and boarding software.
The European Union Agency for Cybersecurity, ENISA, said in a statement that the type of ransomware had been identified and law enforcement was investigating.
US defence contractor RTX, formerly Raytheon, said the attack had affected automatic check-in software called Muse supplied by its subsidiary, software maker Collins Aerospace, to several airline customers.
Software compromise
In a statement on Monday, the company said it was working with four affected airports and airline customers, and was in the final stages of completing the updates necessary to restore full functionality.
An internal memo sent to Heathrow staff says that following the Friday attack, Collins rebuilt its systems and relaunched them, only to realise the hackers still had access to the system, the BBC reported.
The memo reportedly says that more than a thousand computers may have been “corrupted” and work to bring them back online is being done in person and not remotely, slowing down the process.
Airline staff have turned to manual check-in methods to keep flights operating while the Muse software is not functioning.
Heathrow said on Sunday it was working to resolve the issue and apologised to customers over flight delays.
It said the “vast majority” of flights have continued to operate and advised passengers to check the status of their flight before travelling to the airport.
About half the airlines flying from Heathrow were back online by Sunday, according to media reports. British Airways has reportedly been operating on a back-up system since Saturday.
Ongoing disruption
Airports in Brussels, Dublin and Berlin have also experienced delays, with automated check-in systems such as kiosks and bag-drop machines offline.
A spokesperson for Brussels airport said Collins Aerospace had not yet confirmed the Muse system had been secured.
A Berlin Airport spokesperson said some airlines were still boarding passengers manually and there was no indication of when the Muse outage would end.
Some 40 of 277 of the departing flights at Brussels were cancelled on Monday, with 23 of 277 incoming flights cancelled.
The attack is the latest to raise questions over the security of critical systems that are provided by suppliers, and are not under a company’s direct control.
A Heathrow spokesperson said: “This system is not owned or operated by Heathrow, so while we cannot resolve the IT issue directly, we are supporting airlines and have additional colleagues in the terminals to assist passengers.”
Supply-chain hacks
Hackers frequently invade a company’s system by targeting a subcontractor, such as an outsourced IT helpdesk.
In the case of Marks & Spencer, whose online ordering systems were disabled for weeks after a cyber-attack earlier this year, hackers tricked a third-party contractor into providing access to internal systems, the company said in May.
At the time Reuters cited an unnamed source as saying that M&S’ outsourced helpdesk provider Tata Consultancy Services, or TCS, was a “means of access”.
Two other British companies hacked this year, the Co-op and Jaguar Land Rover, whose plants are currently still shut down , also use TCS as a supplier. TCS has denied its systems were breached in the M&S hack.
In 2020, US company SolarWinds said malware was inserted into its Orion security software in a Russian cyber-espionage campaign, leading to a breach of US government agencies including the Department of Justice and the Pentagon.
