One in three cyber attacks hits suppliers. This is how hackers shut down European airports.

One in three cyberattacks targets companies' suppliers. In 2025, their number doubled, confirming a worrying trend in cybercrime. This is according to a Verizon report that analyzed the origins of approximately 8,000 cyberattacks recorded in 2025. Attacks through third-party companies and service supply chains offer attackers a broad scope of action, achieving identical results (temporarily blocking a service) with less effort. In particular, the report explains, software vendors, customer support lines, and technology solution providers, especially artificial intelligence, are targeted.

These figures confirm the fears that arose in the aftermath of the cyber attacks on three of Europe's major airports: London Heathrow, Brussels, and Berlin. The effects were then felt at other international hubs, such as Dublin and Cork, and at other European airports. In that case, it was a targeted attack.

What we know so far about the attack on Collins Aerospace

Little news has emerged in the days following the attack (which occurred last Saturday). What is certain is that the criminals did not target the airport's IT systems, but rather those of an external supplier: Collins Aerospace, a US company that manages the online check-in and baggage handling system. The company was previously targeted by a cyberattack in 2023, when it was attacked by the BianLian group, a Chinese name chosen by Russian-based cybercriminals specializing in ransomware attacks. With these attacks, hackers penetrate IT systems and shut them down, then demand a ransom.

After initial findings, sources close to the investigation have informed Italian Tech that this case could also be a similar type of attack, although nothing is known about the attackers at this time.

Russian Shadows: Several clues raise fears of a hybrid warfare episode

But both the attacks suffered by the supplier over the years and the international situation have fueled suspicions that this could be yet another instance of hybrid warfare. The cyberattack came just hours after three Russian fighters violated NATO airspace in Estonia. And three days ago, Collins Aerospace (€28 billion in revenue last year, 80,000 employees) signed a contract with NATO for the supply of a system capable of planning and managing communications in the event of electronic warfare.

These elements lead experts to suspect this could be a provocation. Or a test. Either to see Europe's ability to react or to test the fragility of public infrastructure. A complex picture. This is compounded by the fact that cybercriminals have been changing their identity in recent years. They are no longer state hackers, or any state intent on attacking.

Apples: "A worrying scenario, here's their psychological strategy."

But today, even independent groups—it is explained—are beginning to carry out operations, in some way encouraged, if not supported, by states. This is a sort of "militarization" of cybercrime. "The scenario is extremely worrying," Stefano Mele, lawyer, head of cybersecurity, and partner at the law firm Gianni & Origoni, explains to La Stampa. "To block an airport, it's not necessary to attack the major players, those with the expertise, culture, and spending power in cybersecurity. The same result is often achieved by attacking a company that provides a service, as in this case," Mele argues. Blocking check-in effectively means blocking the airport, and a return to manual methods on busy days. Over a thousand flights were scheduled at the three airports.

The effect of last Saturday's attack was limited on cancellations, 28. But the delays led to hundreds more. What saved the rest of Europe wasn't greater technical capacity, or a better ability to respond to attacks: "They simply didn't have that provider for check-ins. It was just luck," explains Mele. "The effectiveness of this type of ransomware attack isn't a technical issue, but a cultural one. Because today we know that 90% of attacks come from a classic, careless click by a company employee or manager," adds the lawyer. Added to this is a mutation in ransomware attacks themselves. "If we were previously accustomed to viruses that blocked the system in exchange for a ransom, now there's no longer even a need to block a system: all you have to do is access emails and company communications and directly threaten those with the power to pay the ransom, instilling suspicion that the material obtained might contain compromising communications," explains Mele.

No more viruses that block, but viruses that 'threaten'

In addition to communications, industrial secrets, projects, and products in the design phase can be disclosed, causing enormous damage. Sometimes, just a threat is enough to make a manager pay. "It's a psychological evolution of this type of attack. It requires expertise, yes, but also the ability to exert pressure." Like a game of chess.

Ransomware attacks are a key issue in cyber warfare. The European Directive NIS2 has introduced higher security standards for supplier companies. It's currently in force, but compliance begins in October 2026. "It will provide greater protection, even if they're viewed unfavorably by businesses and public administrations. It's necessary to protect the entire supply chain of essential and important services," concludes Mele.

Italy should also adopt a law to establish a strategy to counter ransomware attacks. The text has been submitted, signed by Matteo Mauri (Democratic Party). However, the discussion has not yet been scheduled.