Cyber Incident Victim: Aeroflot

On Monday, July 28, 2025, Russian airline Aeroflot was forced to cancel 54 round-trip flights amid a widespread cyberattack that disrupted operations across the country’s largest aviation network. The attack, claimed by two pro-Ukrainian hacking groups—Silent Crow and Belarusian Cyberpartisans—targeted Aeroflot’s internal systems, leading to the paralysis of flight scheduling, passenger information platforms, and employee communication tools. Departure boards at Moscow’s Sheremetyevo Airport turned red as dozens of flights were delayed for hours, while passengers reported being stranded without access to the airline’s website, mobile app, or customer service lines. The groups stated the operation had been underway for a year, during which they infiltrated Aeroflot’s network, compromised 7,000 servers, and gained control over the personal computers of employees, including senior managers. They published screenshots of internal file directories and threatened to release the personal data of all Russians who had ever flown with Aeroflot, along with intercepted emails and voice communications of staff. The Kremlin acknowledged the incident as a serious threat, with spokesperson Dmitry Peskov labeling the hacker activity as alarming and indicative of a broader digital assault on critical infrastructure. Russian lawmakers, including Anton Gorelkin and Anton Nemkin, condemned the attack as evidence of a multi-front war against the state, with Nemkin calling for accountability for systemic failures in cybersecurity defenses. Prosecutors confirmed the disruption was the result of a cyber intrusion and opened a criminal investigation into the incident. Aeroflot’s shares fell by 3.9% by mid-afternoon, underperforming the broader market, which declined by 1.3%, reflecting investor concern over the scale and duration of the outage. The airline stated it was working with specialists to minimize the impact on its schedule and restore normal operations, but provided no timeline for full recovery.

Passengers expressed frustration on social media platform VK, recounting hours spent waiting at airports with no clear updates or alternatives. One traveler, Malena Ashi, described being stranded at Volgograd Airport since 3:30 a.m., with her flight rescheduled for the third time and now set to depart nearly ten hours after the original departure time. Another passenger, Yulia Pakhota, noted the complete unavailability of all digital channels, making it impossible to rebook flights or request refunds as instructed by the airline. Aeroflot acknowledged the breakdown in communication and indicated it was attempting to secure seats for affected passengers on other carriers, though no details were provided on the logistics or capacity of such arrangements. The attack occurred during a peak travel period in Russia, when many citizens typically take holidays, amplifying the disruption’s societal impact. While flight cancellations and delays had become common in Russia due to drone strikes on airports since the start of the war in Ukraine in 2022, this incident marked a significant escalation in both scale and sophistication, targeting the airline’s core operational systems rather than physical infrastructure. Silent Crow, which had previously claimed responsibility for attacks on Russian state IT departments, telecom firms, insurance companies, and KIA’s Russian office, had demonstrated a pattern of targeting institutions tied to state functions or economic stability. Belarusian Cyberpartisans, a group opposing President Lukashenko’s regime, framed the operation as support for Ukraine’s defense against Russian aggression, declaring their intent to “liberate Belarus” and assist Ukrainians in their fight. Neither Ukraine nor any official Ukrainian entity issued a statement confirming or denying involvement, and no evidence was presented to link the attack to state actors. The groups’ public statements emphasized their long-term infiltration and the depth of access they had achieved, suggesting the breach was not the result of a single exploit but a sustained campaign. Aeroflot, which carried 55.3 million passengers in the prior year and remains among the world’s top 20 airlines by passenger volume, faced not only immediate operational chaos but also the looming threat of mass data exposure, which could compromise the privacy of millions of travelers and damage its reputation for years. Aviation expert Andrei Litvinov described the incident as a “serious disaster,” warning that the exposure of corporate correspondence and internal data could have long-term consequences beyond the current flight cancellations. The incident underscored the vulnerability of even the most prominent state-owned enterprises to coordinated cyber operations, and the lack of immediate transparency from Aeroflot only deepened public distrust during a time of heightened anxiety.