Hackers Allegedly Destroyed Aeroflot Airlines’ IT Infrastructure in Year-Long Attack
Russia’s Aeroflot, one of the world’s oldest airlines, has been left scrambling after pro-Ukraine hackers claimed to have “completely destroyed” the carrier’s internal IT infrastructure in a stealthy, year-long campaign.
The groups, known as “Silent Crow” and Belarusian counterpart “Cyber Partisans BY,” said they gained deep-tier access to systems ranging from booking platforms to executive e-mail, culminating in the erasure of roughly 7,000 servers and the theft of at least 20 TB of flight logs, passenger data, and internal communications.
Aeroflot publicly cited an unspecified “information-system failure” early Monday as it cancelled 42 domestic and regional flights out of Moscow’s Sheremetyevo Airport, leaving terminals jammed with frustrated travelers.
Hours later, the two hacktivist groups posted a joint statement on Telegram declaring the incident a “strategic strike” against both the company and Russia’s state security apparatus.
Screenshots accompanying the post show what appear to be Active Directory trees and surveillance-system folders allegedly captured during their clandestine access.
The attackers claim they penetrated the airline’s network in mid-2024 through targeted phishing and zero-day exploits, slowly escalating privileges until they reached Tier-0 domain controllers, the “crown jewels” of any Windows-based enterprise.
| Date / Time (Moscow) | Milestone | Impact / Notes |
|---|---|---|
| Mid-2024 (≈July) | Silent Crow and Cyber Partisans BY obtain an initial foothold in Aeroflot’s corporate network, launching a year-long clandestine operation | Persistent access established; reconnaissance of critical systems begins |
| Spring 2025 | Hackers escalate privileges, reaching Tier-0 (domain-controller) level and gaining administrative control over reservation, e-mail, and surveillance platforms | Full lateral movement enables extraction of 12 TB databases, 8 TB file shares, 2 TB mailstores |
| 27 Jul 2025 (23:00) | Wiper payload activated across 122 VMware ESXi hosts and additional virtual clusters | ≈7,000 physical + virtual servers overwritten or bricked; 20-22 TB exfiltrated to off-site nodes |
| 28 Jul 2025 (05:30) | Aeroflot’s internal services fail; employees lose access to booking, crew, and messaging systems | Immediate operational paralysis; incident teams convened |
| 28 Jul 2025 (08:00) | Aeroflot issues first public statement on “information-system failure,” warns of schedule disruptions | 42 flights cancelled within hours; passengers told to retrieve luggage and leave Sheremetyevo |
| 28 Jul 2025 (10:30) | Silent Crow publishes detailed claim on Telegram, declaring “complete destruction” of IT infrastructure | Group threatens to leak personal data of all Aeroflot passengers |
| 28 Jul 2025 (12:15) | Cancellations rise to 49 flights; queues and stranded travellers reported at Moscow hub | Departure boards display widespread red “CANCELLED” notices; fuel-dispatch systems briefly offline |
| 28 Jul 2025 (13:45) | Russian Prosecutor General opens criminal investigation under Article 272 for “unauthorised access” | Legal probe launched; Kremlin spokesperson labels the situation “quite alarming” |
| 28 Jul 2025 (18:00) | Silent Crow reiterates threat, claims strategic motive tied to Russia’s war in Ukraine | Heightened geopolitical tension; experts estimate recovery costs in “tens of millions of dollars” |
Once inside, they reportedly compromised core platforms such as Sabre, Sirax, SharePoint, Exchange, CRM, ERP, and even monitoring tools used by Aeroflot’s security operations center.
Aeroflot has yet to confirm the hackers’ description of the breach, but Russia’s Prosecutor General has opened a criminal investigation into “unauthorised access” and acknowledged that a cyber-attack crippled the carrier’s services.
Kremlin press-secretary Dmitry Peskov called the incident “quite alarming,” adding that the threat underscores vulnerabilities faced by large Russian enterprises amid the ongoing conflict in Ukraine.
Cybersecurity analysts say the cost of rebuilding Aeroflot’s digital backbone could run into “tens of millions of dollars” and take months, if not longer.
The disruption has already shaved more than 4% off the airline’s Moscow Exchange share price and sparked broader worries about aviation resilience inside Russia.
| Key Impact | Detail | Extent |
|---|---|---|
| Flight cancellations | Domestic & regional routes grounded at Sheremetyevo | 49 flights |
| Server loss | Physical & virtual nodes wiped | ≈7,000 units |
| Data stolen | Historical flight DBs, PII, e-mail, call recordings | >20 TB |
| Stock reaction | MOEX: AFLT down in intraday trading | −4% |
| Recovery cost | Infrastructure rebuild & forensics | “Tens of millions $” |
Silent Crow warned that “partial data dumps,” including passengers’ personal details and recorded phone calls, will be released in the coming weeks unless Moscow ends “repressive cyber-aggression” abroad.
If verified, the leak could expose millions of customer records and intensify regulatory scrutiny across multiple jurisdictions.
With international air travel recovering post-pandemic, Aeroflot’s digital meltdown delivers both a symbolic and operational blow.
Analysts note that while Russia’s aviation sector has faced drone incidents and sanctions pressure, a full-scale cyber-sabotage of its flagship airline marks an escalation in the broader digital front of the Russo-Ukrainian conflict
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
Source link
