[ZATAZ News English version] – A cyberattack against a check-in service provider crippled several European airports on Saturday, causing cancellations and delays, and exposing the air sector’s critical dependency. A response from Russian hackers after Aeroflot’s shutdown last July?
CONTEXT
Date: Saturday, September 20, 2025
Locations: Brussels, London-Heathrow, Berlin airports
Consequences: nine flights canceled, around fifteen delayed
Passengers affected: about 35,000 in Brussels
Precedents: Pau airport, Manchester, Brussels-South, Aeroflot (Russia)
On Saturday, September 20, a cyberattack crippled check-in and boarding systems at several European airports. In Brussels, nine flights were canceled and about fifteen delayed. London-Heathrow and Berlin also experienced disruptions. The provider is working to restore its services. The incident highlights the dependence of aviation infrastructure on a few critical suppliers. This attack follows a series of similar incidents in recent months, including the strategic sabotage of Aeroflot that heavily impacted several Russian airports. The growing frequency of these attacks confirms civil aviation as a prime target for cyber actors.
Airports plunged into outage
In Brussels, the complete shutdown of automated systems forced teams to switch to manual work. “The provider is actively working on the problem and striving to resolve it as quickly as possible,” said an airport spokesperson. A total of nine flights were canceled and about fifteen delayed for at least one hour.
Some 35,000 passengers were expected on Saturday. The airport advised travelers to check flight status before coming and to only show up if their trip was confirmed. Passengers were told to allow two hours for Schengen flights and three hours for non-Schengen flights.
In Berlin, the airport warned of long waits due to the provider’s malfunction. In London-Heathrow, officials spoke of a technical issue while confirming delays.
The targeted provider
The disruptions were caused by a cyberattack on supplier active across Europe. The company handles critical solutions for check-in and boarding.
While Brussels confirmed the cyber origin, other airports preferred to describe it as a “technical problem,” fueling uncertainty about the extent of the intrusion. This caution reflects the reputational stakes for sector players. Reliance on a small number of strategic providers creates a structural vulnerability.
Brussels Airlines escaped the disruptions. “Our teams anticipated the problem as early as Friday evening,” said spokesperson Joëlle Neeb. The airline’s independent baggage drop system remained operational. Passengers with boarding passes could scan and drop off luggage without waiting.
Other airlines lacked such resilience and had to deal with longer queues. For passengers, uncertainty defined the day.
Worrying precedents in aviation
This attack is not isolated. In recent months, multiple airports and aviation infrastructures have been targeted in Europe and beyond. ZATAZ reported:
-
a cyberattack on CCI Béarn et Soule, affecting Pau airport
-
DDoS attacks against NASA and Manchester airport
-
an attack against airport security police in Argentina
-
pro-Russian actions targeting Brussels-South airport
But the most striking case remains Aeroflot. The Russian airline was hit by a large-scale cyberattack, described as major sabotage, in July. The intrusion disrupted operations across several airports in the country, with immediate economic and logistical fallout. A targeted operation, showing the intent of some actors to strike directly at critical air transport links. September’s incidents in Europe: retaliation for July’s cyberattack? Anything is possible.
Oups!
September 2024 — Researchers Ian Carroll and Sam Curry discovered an SQL vulnerability in FlyCASS, a web service used by airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
The flaw in this key aviation security system could have allowed unauthorized attackers to bypass airport screening and gain access to aircraft cockpits.
KCM, operated by ARINC (a Collins Aerospace subsidiary), verifies airline staff credentials through barcode scans or employee IDs, cross-checking them with airline databases to grant access without full security checks. CASS performs similar checks to authorize pilots for cockpit jump seats.
Using the vulnerability, the researchers logged into FlyCASS as administrators of Air Transport International and manipulated employee records. They even created a fake staff member, “Test TestOnly,” granting full KCM and CASS access — effectively bypassing screening and entering cockpits.
The issue was disclosed to the Department of Homeland Security (DHS) on April 23, 2024. DHS confirmed its severity, disconnected FlyCASS from KCM/CASS on May 7 as a precaution, and the vulnerability was later patched.
