Skip to main content
news

Assessing Aeroflot’s aftermath Ukrainian and Belarusian hackers claim a ‘strategic blow’ to Russia’s flagship airline, but the dust has yet to settle

Source: Meduza

On July 29, Aeroflot stated that it had stabilized its schedule after widespread flight cancellations caused by a hacker attack. The airline’s servers were attacked on July 28, causing Aeroflot to cancel 108 flights (nearly 42 percent) that day. However, the company states that it operated roughly 80 percent of its flights on July 28 and expected to complete 93 percent on July 29. Experts estimate that Aeroflot lost 259 million rubles (roughly $2.9 million) due to the disruptions. On the morning of July 29, according to calculations by the news agency Interfax, 53 Aeroflot flights were canceled. On Tuesday afternoon, the company referred to the cancellations as “targeted,” reporting that it had already restored its operating schedule.

Ukrainian and Belarusian hacker groups, Silent Crow and Cyber Partisans, have claimed responsibility for the cyberattack on Aeroflot. The identity of those behind Silent Crow is unknown. Before Aeroflot, the group claimed responsibility for hacking Rosreestr (Russia’s federal registry, responsible for property and land rights records) and Rostelecom (Russia’s largest telecommunications provider) in January 2025. All three attacks targeted major Russian state institutions, with the hackers demanding no ransom and publishing the stolen data publicly, indicating that their motives were political.

Cyber Partisans is a Belarusian anonymous hacktivist group that emerged during the protests against Alexander Lukashenko’s contested reelection in 2020. Over the past five years, Cyber Partisans has conducted actions against authorities in Belarus and Russia. These actions have included broadcasting videos of protesters being beaten on Belarusian television, leaking Belarusian government agency databases, publishing complaints filed with the Belarusian KGB, and hacking systems belonging to a private drone manufacturer in St. Petersburg and the Main Radio Frequency Center of Roskomnadzor, Russia’s federal censor.

The scope of the attack

Silent Crow has described the damage inflicted on Aeroflot as ”strategic.” The group claims to have maintained access to the Russian carrier’s networks for approximately one year, penetrating to the core of its infrastructure and obtaining comprehensive flight histories, including passenger data. According to the hackers, they gained control of employees’ computers and downloaded recordings of staff conversations. The group reports acquiring 22 terabytes of data while destroying 7,000 servers. Fixing everything could cost Aeroflot tens of millions of dollars, according to the hackers. They described the cyberattack as a “political message to all employees of Russia’s repressive apparatus.”

Cyber Partisans say they gained “initial access” to Aeroflot’s networks by using the company director’s password. According to the group’s statement to the media outlet Zerkalo, this password had not been changed since 2022. In a detailed technical statement, the attackers also claimed to have exploited Aeroflot’s continued use of outdated systems, such as Windows XP and Windows 2003. “Our primary goal was just to wreck everything — ‘blow it all up,’ as we say. Swiping data wasn’t the point, but we took whatever we could get,” Cyber Partisans spokesperson Yuliana Shemetovets told Zerkalo, claiming that it would take Aeroflot weeks or even months to restore its data.

A “password” file on the desktop of an Aeroflot employee
Cyber Partisans

The attack on Aeroflot did not target aviation security, Cyber Partisans claim. Spokesperson Yuliana Shemetovets promised that the hacktivists would soon begin releasing the data they obtained. Asked about whether the group plans to leak passengers’ personal data, she said that only persons connected to the “military-industrial complex, intelligence operations, or classified activities” should be concerned. Journalist Dmitry Kolezev has observed that the downloaded Aeroflot databases may contain records of flights taken by Russian officials.

Damage assessment

The attack on Aeroflot’s IT systems represents one of the largest cyber incidents in Russian aviation history, according to Vedomosti. The disruption is estimated to have affected at least 20,000 passengers, the Russian Tour Operators Association said. At Sheremetyevo airport in Moscow, where Aeroflot is based, chaos ensued as passengers were unable to fly or obtain ticket refunds. Aeroflot staff operations were paralyzed, and there were even issues with refueling planes, a source told the Telegram channel Aviatorshchina.

Cybersecurity experts generally agree with the hacktivists’ claims that Aeroflot sustained substantial damage from the attack — including to its reputation, as the airline’s shares dropped nearly 4 percent on July 28 amid widespread flight cancellations. Alexey Kozlov, an analyst at IT firm Spektatel, estimates that Aeroflot’s damage could reach $50 million, with full recovery and network security restoration taking up to six months to complete. Denis Tverskoy, who runs the operational efficiency practice at Strategy Partners consulting, said he agrees with that damage estimate.

Sheremetyevo airport, July 28, 2025
Kirill Kallinikov / RIA Novosti / Sputnik / Profimedia

A company linked to the first deputy head of Russia’s Federal Security Service (FSB) contributed to Aeroflot’s cybersecurity infrastructure, according to iStories. In June, the airline signed a cooperation agreement with Bastion, an IT solutions provider founded by the son of Sergey Korolev, the FSB’s first deputy head. Soon after Bastion’s founding, a controlling interest was purchased by Citadel, Russia’s largest supplier of SORM Internet surveillance equipment. Valery Bitaev, known as a trusted confidant of Korolev, is a co-owner of Citadel.

The aftermath

It’s unclear whether Aeroflot will face penalties for leaking passenger and employee data. A source close to the Transportation Ministry told the newspaper Kommersant on July 28 that there is still no proof that a leak actually took place. However, the same source said Aeroflot’s employees and contractors are likely to be examined for negligence during the criminal investigation into the cyberattack.

A source at Aeroflot told the Telegram channel Mash that the cyberattack was less damaging than reports suggest, causing “more damage to the company’s reputation than to its operations.” The source emphasized that the company’s internal systems were restored within 24 hours, and the website and mobile app are now operational again, with flights running according to schedule. “Lessons have been learned, conclusions reached,” the source added.