On Monday morning, July 28, Aeroflot`s operations were severely disrupted, leading the airline to cancel dozens of flights and advise passengers not to come to airports. Shortly thereafter, hacktivist groups Silent Crow and “Cyber Partisans of Belarus” claimed responsibility for the disruption. The cybercriminals asserted they had stolen 12 terabytes of data, gained control over employee computers, completely compromised all critical corporate systems, and subsequently destroyed them. This report delves into the details of the alleged attack and investigates the groups Silent Crow and “Cyber Partisans of Belarus.”
Hackers Involved in Aeroflot Disruption Detail Their Attack
“Successful penetration was largely possible due to some company employees neglecting elementary security,” stated the “Cyber Partisans of Belarus” in their Telegram channel.
The cybercriminals added that after infiltrating the airline`s infrastructure, they methodically advanced within it for a year with the goal of total compromise. They clarified that this was facilitated by Aeroflot`s use of outdated versions of Microsoft operating systems—Windows XP and 2003.
The cyberattack began on the night of July 27-28. By early morning, we had destroyed over seven thousand servers and workstations, databases, and internal systems. All data was wiped using a special innovative algorithm.
The hackers also claim they managed to display offensive messages, widely used in pro-Ukrainian propaganda since the start of the special military operation, on Aeroflot employees` computer screens.
They further assure that they still retain access to the airline`s corporate email accounts and can eavesdrop on the carrier`s senior management.
However, Roskomnadzor (Russia`s federal service for supervision of communications, information technology and mass media) has not confirmed the information regarding passenger data leaks. “The leakage of Aeroflot client personal data is not yet confirmed,” the agency emphasized in a conversation with TASS.
Who Took Responsibility for Aeroflot`s Problems?
Two groups—”Cyber Partisans of Belarus” and Silent Crow—assert they are behind the Aeroflot disruption. They regularly claim significant successes in their digital struggle against Russia. However, it should be noted that not all their claimed victories are subsequently confirmed.
The “Cyber Partisans of Belarus” had been relatively inactive in recent months, focusing primarily on investigating the disappearance of Anzhelika Melnikova, speaker of the Belarusian opposition`s Coordination Council, who went missing in March 2025 in Warsaw. This situation led to numerous conspiracy theories about her betraying the Belarusian opposition. Another notable activity of the cyber partisans is compiling a list of Belarusian citizens participating in the special operation in Ukraine on Russia`s side.
Aeroflot attack affected thousands of passengers
Photo: Kirill Kallinikov / RIA Novosti
Silent Crow is a pro-Ukrainian group that previously claimed to have hacked Rostelecom and about a hundred large Russian companies. It should be noted that these claims have been repeatedly questioned by information security specialists. The data sets published by the hackers as proof either did not contain sensitive information for Russians or were not related to the stated victims of the hack but to their contractors. Sometimes, they were compilations of previous leaks.
“The group also distinguished itself here with a flurry of bold statements: that they had been in the infrastructure for a year with maximum access, compromised all critical systems, and pulled 12 terabytes of data, including the entire flight array. And after having their fun, they destroyed the entire company infrastructure, comprising seven thousand physical and virtual servers,” noted the authoritative Telegram channel T.Hunter. “In reality, the bravado of the daring hackers likely strongly diverges from the reality of what they `partisanned`.”
Natalya Kaspersky, president of InfoWatch, also expressed doubt about Silent Crow`s involvement in the hack on her Telegram channel. In her opinion, it is too early to judge who is truly behind the attack.
This could have been, for example, special services of enemy countries or internal malicious actors. Making loud statements is one thing; actually hacking is another.
The previous announcement of a major hack was posted on Silent Crow`s Telegram channel on July 20, after almost four months of silence. At that time, the hacktivists claimed to have gained full access to data on residents of Moscow and the Moscow Region from EMIAS (Unified Medical Information and Analytical System).
“We gained administrative control over the entire infrastructure of one of the largest personal data operators, including the domain controller, hypervisors, and databases. The total volume of extracted data amounted to approximately 17 terabytes,” the hackers wrote then, attaching a data sample to their message.
However, they have not returned to the topic of the EMIAS hack since, and no additional data arrays have been published.
Airline Operations Paralyzed
Aeroflot has been attempting to mitigate the consequences of the hack since early morning, which resulted in dozens of canceled flights. The airline announced that specialists are currently making forced adjustments to the flight schedule, including partial flight cancellations. According to the Telegram channel Baza, the situation remains critical: only flights for which flight calculations were made in advance are departing.
“I came to work, but we can`t print flight plans, no one knows anything. I can`t even find the crew number, I can`t contact the captain, I don`t know where he is, he doesn`t know where I am. All planes are standing still, management knows nothing: where the plane is, who is flying, where it`s flying, crew numbers. In short, there`s absolutely nothing,” said an Aeroflot employee to the publication.
Unfortunately, in the current political realities and in the face of escalating confrontation with the West, there is little hope that the attacks will cease. Most likely, attacks on our country`s critical infrastructure will only intensify.
According to the Telegram channel “Aviatorshchina,” all Aeroflot employees have been prohibited from using corporate email and work computers. Instead, employees were advised to use the Telegram messenger for communication with crews.
According to information security expert Alexey Kozlov, restoring Aeroflot`s systems could take up to six months, with full stabilization potentially taking up to a year. In a conversation with RIA Novosti, he stated that the exact timeframe depends on the degree of infrastructure destruction and the availability of data backups. Kozlov estimated the damage from the cyberattack to be between 10-50 million dollars.
Long queues of passengers formed at Sheremetyevo Airport
Photo: Kirill Kallinikov / RIA Novosti
The cancellation of dozens of Aeroflot flights became known on the morning of July 28. Affected passengers included those on paired flights departing from and returning to Moscow. Specifically, the problem impacted Russians planning to fly to Astrakhan, Grozny, Yekaterinburg, Yerevan, Kaliningrad, Kazan, Mineralnye Vody, St. Petersburg, Stavropol, Sochi, and other cities.
