On July 28, 2025, Russian flagship carrier Aeroflot experienced a catastrophic cybersecurity incident that resulted in widespread system failures and the cancellation of 49 flights departing from Moscow. The attack has exposed critical vulnerabilities in aviation cybersecurity infrastructure and highlighted the evolving threat landscape facing major transportation companies worldwide.
Advanced Persistent Threat Groups Claim Responsibility
Two prominent hacking collectives, Cyber Partisans BY and Silent Crow, have claimed responsibility for the sophisticated cyberattack. According to their statements, the threat actors maintained persistent access to Aeroflot’s corporate network for an entire year, systematically expanding their foothold within the airline’s critical systems.
The hackers report achieving Tier0 privileges within the company’s IT infrastructure, representing the highest level of administrative access possible. This level of compromise granted them unrestricted control over all corporate resources, including 122 hypervisors, 43 virtualization installations, and approximately 100 server management interfaces.
Scope of Data Exfiltration and System Destruction
The breach’s scale is unprecedented in the aviation sector, with attackers claiming to have stolen 12 TB of databases, 8 TB of files, and 2 TB of corporate email communications. The compromised systems encompass mission-critical platforms including CREW management systems, Sabre reservation networks, SharePoint collaboration tools, Exchange email servers, document management systems, and enterprise resource planning (ERP) solutions.
Particularly concerning is the alleged access to employee surveillance and monitoring systems, including audio recordings of executive phone conversations. The threat actors claim to have destroyed approximately 7,000 servers, both physical and virtual, potentially causing irreversible damage to the airline’s operational capabilities.
Historical Context of Threat Actor Activities
Silent Crow has previously targeted major Russian organizations, including successful attacks against Rosreestr (Federal Service for State Registration), Rostelecom telecommunications, Kia Russia and CIS, AlfaStrakhovanie-Zhizn insurance, and Alfa-Bank’s customer database. Meanwhile, Cyber Partisans BY gained notoriety for their attacks on Belarusian Railway infrastructure and the Main Radio Frequency Center’s systems, demonstrating their capability to target critical national infrastructure.
Corporate Response and Regulatory Oversight
Aeroflot representatives have acknowledged experiencing technical disruptions within their information systems but have refrained from commenting on the hackers’ specific claims regarding the incident’s nature. The airline’s technical teams are actively working to restore normal service operations while minimizing risks to their flight schedule.
The Moscow Interregional Transport Prosecutor’s Office has assumed oversight of the situation, monitoring developments at Sheremetyevo Airport. The threat actors have threatened to begin releasing portions of the stolen data imminently, potentially escalating the incident’s impact on both the airline and affected passengers.
Financial Impact and Recovery Challenges
Industry experts estimate that infrastructure restoration could require tens of millions of dollars and extend over several months. The attackers characterize the damage as strategic, indicating long-term implications for the airline’s operational capacity and competitive position within the aviation market.
This incident represents a critical case study in advanced persistent threat (APT) methodology, demonstrating how sophisticated threat actors can maintain undetected presence within corporate networks for extended periods. The attack underscores the urgent need for organizations to implement comprehensive security frameworks that include continuous network monitoring, zero-trust architecture principles, and regular security assessments. Aviation companies, in particular, must prioritize cybersecurity investments to protect both operational systems and sensitive passenger data from increasingly sophisticated threat actors who view critical infrastructure as high-value targets.
