Hacktivists Disrupt Aeroflot, Grounding Many Flights

Incident Summary

On July 28, 2025, Russia’s flagship carrier Aeroflot experienced a widespread IT outage that forced the cancellation of 42 flights and delayed dozens more across Sheremetyevo International Airport and other hubs. Passengers on domestic routes and services to Minsk and Yerevan found themselves stranded as departure boards went offline and check-in kiosks fell silent.

Attribution and Claims of Responsibility

Shortly after the disruption, Russian prosecutors confirmed a criminal probe into what they suspect was a deliberate cyberattack. Lawmakers like Anton Gorelkin warned of a “digital assault” possibly backed by unfriendly states. Within hours, two hacktivist collectives – Silent Crow and the Belarusian Cyberpartisans – claimed responsibility via Telegram, releasing screenshots of internal file directories and promising to publish intercepted staff emails and voice recordings.

“Restoration will likely require tens of millions of dollars,” Silent Crow boasted, adding that they had exfiltrated Aeroflot’s entire flight history database, call logs and surveillance footage.

Technical Dissection of the Breach

Initial Access and Persistence

• Phishing Campaigns: Attackers targeted senior Aeroflot employees with spear-phishing emails containing weaponized Office macros. Security researchers at Kaspersky have linked the tactics to previously spotted campaigns using Cobalt Strike beacons.
• Credential Harvesting: By compromising the corporate VPN gateway, the hackers obtained domain admin credentials stored in an unsegmented Active Directory environment.
• Persistence: The groups deployed custom rootkits to maintain footholds on both physical servers and virtual machines hosted in Aeroflot’s on-premises VMware ESXi cluster.

Lateral Movement and Data Exfiltration

After gaining elevated privileges, hackers used Windows Remote Management (WinRM) and PsExec to traverse the internal network. They identified 7,000 servers running SQL Server 2012 instances – all missing critical patches – and siphoned off backup volumes via encrypted SFTP tunnels. A subset of stolen data included radar feeds and crew manifests, highlighting the strategic nature of the operation.

Supply Chain and Infrastructure Analysis

Aeroflot’s reliance on legacy systems in combination with third-party maintenance software created multiple attack vectors. The airline’s flight management system, based on an Oracle database with limited network segmentation, was particularly vulnerable, according to cloud security firm CrowdStrike. Intriguingly, the attackers appear to have inserted malicious code into firmware updates delivered to check-in kiosks, effectively bricking dozens of terminals.

Aviation Cybersecurity Implications

This incident underscores the fragility of aviation IT infrastructures, which often mix decades-old mainframes, modern cloud platforms, and bespoke scheduling applications. Cyber loss modeling experts warn that cyber insurance premiums for carriers operating Soviet-era hardware could spike by over 50% in the next quarter. Airlines worldwide are now evaluating zero-trust network architectures to isolate critical subsystems like baggage handling and air traffic communication.

Expert Commentary

“This attack highlights the vulnerability of legacy aviation systems and the need for continuous patch management,” said Dr. Elena Kuznetsova, Head of Cyber Research at the Russian Institute for Digital Defense. “Implementing micro-segmentation and multifactor authentication across all control planes is no longer optional.”

Historical Context and Future Risks

Similar operations have targeted Rosaviatsiya in 2023, forcing the agency to revert to pen-and-paper workflows after an ICS hack wiped 18 months of email archives. With tensions in the region unresolved, security analysts predict that hacktivist and state-sponsored groups will continue probing aviation networks, potentially leveraging AI-driven malware for automated lateral movement.