Overview
On 28 July 2025, Russian flag carrier Aeroflot confirmed a massive IT outage initially reported as an “information-system failure.” Subsequent disclosures from pro-Ukraine hacktivist groups Silent Crow and Cyber Partisans BY revealed a year-long clandestine cyberattack that culminated in the complete destruction of Aeroflot’s internal IT infrastructure.
The attackers claim they gained access via phishing and zero-day exploits in mid-2024, escalated to Tier-0 administrative control, and ultimately executed a destructive payload that wiped approximately 7,000 servers and exfiltrated over 20 TB of sensitive data. The incident has caused widespread operational paralysis, disrupted flight schedules, triggered legal action under Article 272, and raised alarms about the cybersecurity posture of national aviation systems.
What Happened?
The attack unfolded over several key stages:
- Mid-2024: Hackers gained initial access to Aeroflot’s corporate network through phishing and unpatched zero-day vulnerabilities.
- Spring 2025: Attackers escalated privileges to Tier-0 domain control, enabling access to core systems such as Sabre, Sirax, Exchange, SharePoint, CRM, and surveillance platforms.
- 27 July 2025: A destructive wiper payload was deployed across 122 VMware ESXi hosts, resulting in the erasure of approximately 7,000 physical and virtual servers.
- 28 July 2025 (Morning): Aeroflot announced a system failure, cancelling over 49 flights from Moscow’s Sheremetyevo Airport.
- Telegram Statement: The hacktivist groups claimed responsibility and published screenshots of internal systems, threatening to leak passenger data unless political demands are met.
- 28 July (Evening): Russia’s Prosecutor General opened a criminal investigation, while market analysts predicted recovery costs in the tens of millions of dollars.
The attackers claim they stole 20+ TB of sensitive data including historical flight logs, personally identifiable information (PII), and executive communications. The operational impact, reputational damage, and geopolitical implications are profound.
Why This Matters for Aviation
This incident marks one of the most destructive cyberattacks in commercial aviation history. It represents a convergence of nation-state tensions, cyber-sabotage, and public service disruption.
The complete destruction of IT systems and loss of operational continuity at Aeroflot illustrates that even major airlines can be caught off-guard by persistent and highly coordinated attacks.
As aviation becomes increasingly digital, resilience is no longer optional. This case reinforces the need to treat cyber risks not only as operational threats but as systemic risks to national transportation safety
In Summary
Aeroflot’s year-long breach by Silent Crow and Cyber Partisans BY demonstrates the devastating consequences of strategic cyberattacks on civil aviation. The destruction of 7,000 servers and loss of over 20 TB of sensitive data is a wake-up call.
Operators must:
- Harden Tier-0 systems and hypervisor layers
- Validate breach detection and recovery protocols
- Treat persistent access as a baseline threat
This incident should serve as a high-priority reference point for all aviation security reviews in Q3/Q4 2025 and beyond.
