In September and October 2025, Europe experienced a series of incidents that increasingly resemble not a coincidence, but a deliberate hybrid operation. First — a cyberattack on Collins Aerospace, which paralyzed registration systems in dozens of airports. A few days later — a wave of reports about unknown drones and aerostats over airports, which forced the authorities to close airspace and cancel flights. Although official reports do not name the perpetrator, the nature and sequence of events indicate a systematic test of the West’s reactions. The probable beneficiary is the Russian Federation.
Between September 19 and 21, a large-scale failure occurred in the MUSE (Multi-User System Environment) system owned by the American company Collins Aerospace. Key hubs — London, Berlin, Brussels, Copenhagen, Amsterdam — were affected. Passengers were stuck in airports, airlines switched to manual check-in, queues stretched for hundreds of meters. Although the incident was described as technical, experts from France24 pointed to signs of deliberate interference. The World Economic Forum called it an example of the vulnerability of over-centralized IT chains.
To better understand the sequence and scale of the incidents, it is worth looking at the chronology of key dates and locations. The graph below shows the timeline of the hybrid campaign against Europe’s critical infrastructure in September–October 2025.
On September 22, The New York Times reported that Copenhagen and Oslo simultaneously closed their airspace due to the appearance of large unmanned aerial vehicles over runways. The objects flew at an altitude of 500–700 meters, within the zone of civil aviation. The airports were shut down for four hours — without a single physical strike.
The Prime Minister of Denmark, Mette Frederiksen, said:
“We see in these events signs of hybrid activity. We have no evidence, but we cannot rule out Russia’s involvement.” (Al Jazeera, 23.09.2025)
During the following days, the wave of incidents continued: Norway quickly closed Oslo Airport, and on September 24–25, airports in Aalborg, Billund, Esbjerg, and Sønderborg temporarily suspended operations due to similar observations of unknown objects. According to Euronews, local police recorded them both visually and using radar, but could not determine their origin.
On September 26, drones appeared over the military bases of Kastrup in Denmark and Ørland in Norway. On September 28, Schiphol Airport in the Netherlands closed one of its runways due to the observation of an aerostat. On October 3, Munich Airport twice stopped operations due to drones — precisely during the celebration of the Day of German Unity.
The map below shows the locations of airports and bases where drones, aerostats, and other unknown objects were recorded in Denmark, Norway, the Netherlands, and Germany during September-October 2025.
Chancellor Friedrich Merz stated:
“We assume that Russia is behind these intrusions. This is not a coincidence but part of its hybrid campaign.” (Reuters, 05.10.2025)
On October 8, the German government adopted a draft law allowing police to shoot down drones over critical infrastructure. The President of the European Commission, Ursula von der Leyen, called these actions “a targeted campaign to destabilize Europe”.
The Ukrainian CERT-UA recorded more than 3,000 cyber incidents in the first half of 2025 — 17% more than before. The report points to a correlation between cyber and physical attacks:
“Sometimes after or during such cyberattacks, kinetic strikes were carried out in the same region of the country. There is a correlation between cyber and kinetic attacks.”— CERT-UA, H1 2025, p. 18
The report describes the model of “near-miss operations” — when a cyberattack creates technical or informational noise before or during a physical strike.
A telling example was the attack on Ukrzaliznytsia (Ukrainian railways), which was accompanied by drone strikes on transport infrastructure.
The report includes an infographic “Near Missile Timeline” which demonstrates the connection between cyberattacks and missile strikes.
The infographic below shows an example of the relationship between cyberattacks and physical strikes, which may also be relevant to the European case.
If we overlay this model on the events in Europe in the autumn of 2025 — the cyberattack on Collins Aerospace and the subsequent incidents with UAVs — the logic looks identical.
Most of the objects recorded over European airports were not combat drones. Often these were weather balloons, aerostats, or decoys launched to test the response of air defense and civil services. However, the consequences were as if from a real attack: runway closures, flight diversions, financial losses, media panic. This is a tactic of small means with a large effect: minimal costs — maximum result.
The events of autumn 2025 showed that cyberattacks and “drones” are not separate incidents, but elements of a single hybrid operation. Its goal is to undermine confidence in the security of the EU’s infrastructure, create economic pressure, and demonstrate that even without missiles, it is possible to paralyze logistics hubs. And if previously this model was applied in Ukraine, now it is being exported to Europe.
