Inside the Devastating Cyberattack on Aeroflot

Russia’s flagship carrier Aeroflot suffered a crippling cyberattack attributed to pro-Ukraine hacktivist groups Silent Crow and Cyber Partisans BY. This year-long breach culminated in the complete destruction of the airline’s internal IT infrastructure, causing severe operational paralysis, widespread flight cancellations, and the potential exposure of millions of passenger records.

Severity Level: High

Incident Overview

The attackers infiltrated Aeroflot’s systems in mid-2024, maintaining covert access and systematically escalating privileges. Their final blow involved deploying a wiper payload that destroyed approximately 7,000 servers and exfiltrating over 20 TB of sensitive data, including passenger PII, emails, flight logs, and internal communications.

Key operational impacts:

• 49 flight cancellations within 24 hours
• Booking, messaging, crew assignment systems taken offline
• MOEX: AFLT stock dropped 4%
• Public disclosure triggered regulatory and criminal investigations in Russia

How The Breach Happened

• Initial Access (Mid-2024): Gained through targeted phishing campaigns and zero-day vulnerabilities.
• Persistence & Privilege Escalation: Attackers moved laterally to gain Tier-0 access (domain controllers), enabling full administrative rights.
• System Compromise: Critical platforms like VMware ESXi, Sabre, SharePoint, Exchange, CRM, ERP were compromised.
• Destruction & Exfiltration:
  • Wiper payload triggered on July 27, 2025, erasing virtual clusters.
  • Data exfiltrated to off-site nodes, estimated at 20–22 TB.

Threat Actor Profile

Lessons Learned

• Long-term, low-noise access is a growing threat trend. The attackers operated undetected for nearly a year. Organizations must assume breach and invest in proactive threat hunting to uncover persistent access.
• Tier-0 compromise is a kill shot. Once the adversaries reached domain controllers, they had unrestricted control. Critical identity infrastructure must be isolated and rigorously monitored.
• Hacktivism has evolved into highly destructive digital sabotage. What was once web defacement is now full-scale infrastructure takedown. Political motivations can fuel technically advanced operations.
• Public-facing infrastructure is often the weak link. The breach likely began with phishing and zero-day exploits. This underscores the need for resilient defenses at the edge – email, endpoints, and cloud assets.

Recommendations

1. Isolate domain controllers (Tier-0 assets) from business and operational networks using physical and logical segmentation.
2. Deploy Privileged Access Workstations (PAWs) for domain admin tasks, disallowing access from standard endpoints.
3. Implement email gateway rules tailored to high-risk aviation roles (e.g., ground ops, scheduling, engineering) using role-based content filters.
4. Enforce link isolation or real-time URL rewriting for flight ops, HR, and finance departments – known targets for phishing.
5. Harden and segment platforms such as Sabre, Sirax, Crew Management, Flight Ops, and surveillance systems on separate VLANs with ACLs.
6. Enforce multi-factor authentication with hardware tokens for systems that manage crew, fuel dispatch, and aircraft assignments.
7. Use application control and EDR to block unauthorized execution of disk-wiping tools, PowerShell abuse, and domain reconnaissance utilities (e.g., BloodHound, Mimikatz).
8. Deploy endpoint deception (honeypots, fake credentials) on critical nodes to detect and mislead wiper deployment attempts.
9. Vet third-party aviation vendors (booking systems, MRO providers, ground crew services) for access rights and lateral movement risk.
10. Subscribe to aviation-specific threat intel feeds and geopolitical cyber risk updates, particularly in conflict zones.

Source:

• https://cybersecuritynews.com/aeroflot-airlines-cyberattack/
• https://t.me/silentcrow_reborn/18

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.