Cyber Incident Victim: Leonardo
Date:
Sep 2023
Location:
Russia
Summary
A Russian flight booking system experienced a massive distributed denial-of-service (DDoS) attack attributed to foreign hackers, specifically claimed by the Ukrainian hacktivist group IT Army. The incident disrupted operations for multiple airlines, including Rossiya Airlines, Pobeda, and Aeroflot, causing departure delays of up to an hour at Moscow's Sheremetyevo International Airport. The attack, which lasted approximately one hour, impacted a system serving around 45 million passengers annually through over 50 carriers. Rostec, the system's developer, reported ongoing "large-scale and unprecedented" attacks against the platform, citing dozens of incidents in recent months and framing the activity as part of a broader cyberwar targeting Russian critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 28, 2023, Russia’s Leonardo flight booking system experienced a "massive" distributed denial-of-service (DDoS) attack attributed to foreign hackers by Rostec, the state defense company that developed the platform. The attack lasted approximately one hour, disrupting operations for multiple Russian airlines including Rossiya Airlines, Pobeda, and Aeroflot. Aeroflot confirmed the incident caused departure delays of up to an hour at Moscow’s Sheremetyevo International Airport, the country’s busiest aviation hub. Leonardo, used by over 50 Russian carriers and serving approximately 45 million passengers annually, became temporarily unavailable due to the traffic overload characteristic of DDoS attacks. The Ukrainian hacktivist group IT Army publicly claimed responsibility for the attack through a Telegram channel message, stating, “While you [Ukrainians] are sipping lattes, our friends up north are stuck in queues, trying to book flights,” and praised their own efforts with “Well done IT Army!” Rostec characterized the incident as part of an ongoing campaign targeting Russian infrastructure.
Rostec disclosed that Leonardo had endured dozens of similar attacks in recent months, with approximately five recorded in September 2023 alone. The agency described these incidents as "large-scale and unprecedented," asserting that Russia faces an active cyberwar aimed at damaging its IT infrastructure and crippling critical industries. The attack on Leonardo occurred weeks after Canadian airports suffered service disruptions from a suspected pro-Russia cyberattack, though no group claimed responsibility for that incident. Rostec did not detail specific defensive measures taken during the September 28 attack but emphasized the persistent threat environment. Canada’s concurrent cybersecurity challenges were noted in the broader context of reciprocal cyber operations between nations supporting Ukraine and Russian-aligned actors, though no direct link was established between the Leonardo incident and the earlier Canadian events.