Cyber Incident Victim: Air Serbia

On July 4, Air Serbia's IT team emailed staff warning that the company was facing a cyberattack that could cause temporary disruptions to business processes. The message urged managers to create work plans aligned with the Business Continuity Plan and to share them with their teams. On July 7, the IT and security manager issued a staff‑wide password reset and deployed security‑scanning software on employee machines. At the same time all service accounts were terminated, which interrupted several automated processes. Datacenters were placed in a demilitarized zone, leading to difficulties for users trying to synchronize their passwords. Internet access was blocked for all endpoints, leaving only a limited set of whitelisted pages under the airserbia.com domain reachable. A new VPN client was installed because of identified security vulnerabilities. Staff were asked to cooperate fully with the IT team and to allow the necessary software to be deployed efficiently. Two days later another round of password resets was issued, with the replacements generated from a template defined by the sysadmins rather than chosen by users. On July 10 an internal memo told employees that, given the ongoing cyberattack, the June 2025 payslips would be postponed for security reasons. The memo added that the IT department was prioritizing resolution and would send the payslips to email addresses once conditions permitted. Although salaries had been paid, employees could not access their payslip PDFs. On the same day HR warned staff not to open emails that appeared to relate to payslips or that contained their first and last names as if they had sent them to themselves, and asked everyone to act responsibly. On July 11 IT issued a third wave of password resets and requested that workers leave their PCs locked but open before leaving for the weekend so the team could continue working on the machines.

The postponement of payslip distribution meant that staff could not view their June 2025 earnings statements despite having received their salaries. The termination of service accounts disrupted automated workflows that relied on those accounts. Moving datacenters to a demilitarized zone caused password synchronization problems for users. Restricting internet access to only a few whitelisted airserbia.com pages limited normal online activities for employees. Staff expressed concern that the intrusion might lead to personal data compromise and that the company might not disclose the breach publicly. An anonymous source told The Register that the attack appeared to involve malware and could be an infostealer. The source also said that, as of July 14, the airline’s blue team had not fully removed the attackers’ presence from the network and was uncertain when the intrusion began because of insufficient security logs. The source believed the breach likely occurred during the first few days of July. No ransom payment or extortion demand had been made by the Monday of that week (July 14). The source noted that infostealer infections are increasingly linked to later ransomware attempts. Air Serbia is a state‑owned carrier that reported carrying 4.4 million passengers in the previous year, a six percent increase over 2023. Experts have previously suggested that the Scattered Spider group may be responsible for a series of recent cyberattacks targeting the aviation sector.