The Bell, an independent Russian news outlet, has published a deep dive into this July’s major hack of Russia’s national airline Aeroflot. It turns out the company’s entire infrastructure was close to collapsing.
Back in July, two pro-Ukraine hacking groups – “Silent Crow” and the “Belarusian Cyber-Partisans” – claimed responsibility for an attack on Aeroflot.
After managing to cripple 7,000 servers, extract data on passengers and employees, and gain control over the personal computers of staff, including senior managers, the hackers said this was a year-long operation to penetrate Aeroflot’s network.
How did it look on the ground, though? According to The Bell, unlike many other similar but smaller hits, the attack on Aeroflot was impossible for the Russian authorities to conceal: hundreds of flights were delayed or canceled, leaving thousands of passengers stranded in airports large and small.
Still, Aeroflot tried. According to The Bell, the airline didn't even inform its own employees that it was under a hacking attack, dismissing it as an “information systems failure.” But attackers were seemingly very close to destroying its entire infrastructure.
Rush to entirely shut off power
The attack began at 5:00 a.m. on July 28th when Aeroflot technical support chats began reporting an emergency: systems were down, computers were rebooting, and they wouldn't recover.
Two hours later, when it became clear that hackers were wiping the contents of employees’ work computers in real time, Aeroflot gave the order to “shut everything down.”
The Bell’s sources now say that shutting off power to all floors of Aeroflot’s headquarters was the only way to stop the attackers from obliterating the entire network infrastructure of the company.
That’s because, just like the hackers later said and unnamed Aeroflot officials confirmed to The Bell, they had gained administrator access to the airline’s entire corporate network.
The attackers then leaked a group policy across the airline's corporate network that triggered a scheduled data wipe on workstations. It was all very close to complete chaos – but the Aeroflot team actually reacted quickly.
“They cut off Rostelecom’s communications, disrupted the connection to the ticket database, and tore down the connection to Sheremetyevo Airport, so people were literally sitting in Excel, rebuilding everything and redrawing all the flight routes on a large sheet of paper,” one source close to the investigation (still ongoing) explained.
“This certainly caused reputational damage. But if they hadn’t acted so quickly, there might have been nothing left of the infrastructure.”
People were literally sitting in Excel, rebuilding everything and redrawing all the flight routes on a large sheet of paper.
The Bell's source.
On the day of the attack, the company canceled 108 flights, and more than 80 flights were delayed at Sheremetyevo, Aeroflot's home airport, alone. The airline claims it lost at least 260 million rubles ($3.34 million) due to flight cancellations – but that’s not actually very much.
The weakest link: contractors
Still, the damage was huge. According to The Bell, information on “non-commercial airline flights” might have been the most sensitive data that was grabbed.
That’s because following the attack, the hackers released a document signed by a Defense Ministry representative, in which the ministry requested that its equipment be connected to Aeroflot’s internal network for “effective planning of military airlifts.”
“This was a blow to Aeroflot. The company positions itself exclusively as a civilian carrier and has been carefully distancing itself from the war for the past few years, and here it’s all in black and white,” noted an Aeroflot source, suggesting that this perhaps was precisely the point of the cyberattack.
The point of entry for the hack appears to have been Bakka Soft, a small IT company that developed Aeroflot's mobile and web apps and had announced the airline’s new web app for iOS just a month before the hack.
In January 2025, six months before the attack, IT specialists supporting the airline detected suspicious activity on its network and on the networks of Bacca Soft, The Bell said.
Bacca Soft never publicly reported the hack of its systems, but that appears to be what happened.
Yuliana Shemetovets, a representative of the Cyber Partisans of Belarus pointed out that Aeroflot’s management used simple and easy-to-guess passwords.
Cybersecurity pros did kick the perpetrators out of Aeroflot’s systems, but, sources claim, never fully cleaned up Bacca Soft’s infrastructure, allowing the attackers to begin preparing a cyber hit.
“In these types of cases, contractors are usually the weak link: they’re difficult to contact, they resist, they don’t allow access to their infrastructure, and they do a really poor job of cleaning up their infrastructure,” one of The Bell’s sources lamented.
The outlet also contacted Yuliana Shemetovets, a representative of the Cyber Partisans of Belarus, who pointed out that Aeroflot’s management also used simple and easy-to-guess passwords.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked