On the morning of Monday, July 28, Aeroflot`s operations were severely disrupted, leading to the cancellation of dozens of flights. The airline advised passengers not to travel to airports if their flights were affected. Shortly after, hacktivist groups Silent Crow and «Cyberpartisans of Belarus» claimed responsibility for the incident. The groups asserted they had stolen 12 terabytes of data, gained control over employee computers, fully compromised all critical corporate systems, and subsequently destroyed them. This article delves into the specifics of the alleged attack and provides information on Silent Crow and «Cyberpartisans of Belarus.»
Hackers Detail Their Alleged Attack on Aeroflot
«Successful penetration was largely possible because some company employees neglected basic security,» stated «Cyberpartisans of Belarus» on their Telegram channel. The cybercriminals added that after gaining access to the airline`s infrastructure, they methodically advanced through its systems for a year with the goal of complete compromise. They attributed this prolonged access to Aeroflot`s use of outdated Microsoft operating systems, specifically Windows XP and 2003.
The cyberattack began on the night of July 27-28. By early morning, we had destroyed over seven thousand servers and workstations, databases, and internal systems. All data was wiped using a special innovative algorithm.
The hackers also claimed they were able to display offensive messages, commonly used in pro-Ukrainian propaganda since the start of the special military operation, on Aeroflot employee computer screens. Furthermore, they asserted that they still retained access to corporate email accounts and could monitor the airline`s senior management. However, Russia`s Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) did not confirm any passenger data leaks, stating to TASS that «the leak of Aeroflot customer personal data is not yet confirmed.»
Who Claimed Responsibility for Aeroflot`s Problems?
Both «Cyberpartisans of Belarus» and Silent Crow assert their involvement in the Aeroflot disruption. These groups regularly claim significant successes in their digital struggle against Russia. However, it`s worth noting that not all their proclaimed victories are subsequently confirmed.
«Cyberpartisans of Belarus» had been relatively inactive in recent months, focusing primarily on investigating the disappearance of Anzhelika Melnikova, speaker of the Belarusian opposition Coordination Council, who went missing in March 2025 in Warsaw. This situation fueled numerous conspiracy theories about her alleged betrayal of the Belarusian opposition. Another notable area of their activity is compiling a list of Belarusian citizens participating in the special operation in Ukraine on Russia`s side.
Silent Crow is a pro-Ukrainian group that previously claimed to have hacked Rostelecom and approximately a hundred other major Russian companies. However, these claims have often been questioned by cybersecurity experts. The data sets hackers published as evidence either lacked sensitive information for Russians or were not even related to the stated victims of the hacks but rather to their contractors. Sometimes, they were merely compilations of previous leaks.
«This group once again distinguished itself with a flurry of bold statements: they were in the infrastructure for a year with maximum access, compromised all critical systems, extracted 12 terabytes of data, including the entire flight array. And after `playing enough,` they destroyed the company`s entire infrastructure, comprising seven thousand physical and virtual servers,» noted the authoritative Telegram channel T.Hunter. «In reality, the bravado of these daring hackers likely vastly differs from what they actually accomplished.»
Natalya Kasperskaya, President of InfoWatch, also expressed doubts about Silent Crow`s involvement in her Telegram channel, stating it was too early to determine who was truly behind the attack.
It could have been, for example, special services of hostile countries or internal malicious actors. Making loud claims is one thing; actually breaking in is another.
President of InfoWatch
The previous major hack claim by Silent Crow was posted on their Telegram channel on July 20, after nearly four months of silence. At that time, the hacktivists alleged they had gained full access to data on residents of Moscow and the Moscow region from EMIAS (Unified Medical Information and Analytical System).
«We obtained administrative control over the entire infrastructure of one of the largest personal data operators, including domain controllers, hypervisors, and databases. The total volume of extracted data amounted to about 17 terabytes,» the hackers wrote, attaching a sample of the data to their message. However, they did not revisit the EMIAS hack topic afterwards, and no additional data arrays were published.
Aeroflot Operations Paralyzed
Aeroflot has been attempting to mitigate the consequences of the alleged hack since early morning, which led to dozens of flight cancellations. The airline announced that specialists are conducting forced adjustments to the flight schedule, including partial cancellations. According to the Telegram channel Baza, the situation remains critical: only flights for which flight calculations were made in advance are departing.
«I came to work, but we can`t print flight plans; nobody knows anything. I can`t even find the crew number, I can`t contact the captain, I don`t know where he is, he doesn`t know where I am. All planes are grounded, management knows nothing: where the plane is, who is flying, where it`s flying, crew numbers. In short, there`s absolutely nothing,» an Aeroflot employee told the publication.
Unfortunately, given the current political realities and the escalating confrontation with the West, there is little hope that attacks will cease. Most likely, attacks on our country`s critical infrastructure will only intensify.
President of InfoWatch
According to the Telegram channel «Aviator General,» all Aeroflot employees were prohibited from using corporate email and work computers. For communication with crews, employees were advised to use the Telegram messenger.
According to information security expert Alexey Kozlov, the restoration of Aeroflot`s systems could take up to six months, with full stabilization taking up to a year. In a conversation with RIA Novosti, he stated that the exact timeline depends on the extent of infrastructure damage and the availability of data backups. Kozlov estimated the damage from the cyberattack to be between $10 million and $50 million.
The cancellation of dozens of Aeroflot flights became known on the morning of July 28. Passengers on round-trip flights departing from and returning to Moscow were among those affected. Specifically, the problem impacted Russians planning to fly to Astrakhan, Grozny, Yekaterinburg, Yerevan, Kaliningrad, Kazan, Mineralnye Vody, St. Petersburg, Stavropol, Sochi, and other cities. The estimated damage from the disruption to Aeroflot`s operations could range from **$10 million to $50 million.**
