Flights have been stopped at Aeroflot. Hackers announced the destruction of the airline's IT infrastructure
On July 28, 2025, Aeroflot employees reported a malfunction in the information system, which delayed or canceled hundreds of flights throughout Russia. Several hacker groups, Silent Crow and Cyber Guerrillas BY, have already stated that they allegedly infiltrated Aeroflot's corporate network, copied data and destroyed the airline's internal IT infrastructure. They also reported that they had access to the airline's corporate network throughout the year. Despite the hackers' claims about the complete destruction of Aeroflot's IT infrastructure, check-in for most flights continues as normal.
Hacking of a Russian airline
On July 28, 2025, representatives of Aeroflot reported a glitch in the information system, which led to flight cancellations and delays, Kommersant writes. Hackers from the groups Silent Crow and "Cyber Guerrillas BY" claimed responsibility for hacking into Aeroflot systems. The attackers allegedly infiltrated the corporate network, copied the data and destroyed the airline's internal IT infrastructure.
The hackers claim to have been inside Aeroflot's corporate network for a year (i.e. since July 2024). As a result, about 7,000 servers, both physical and virtual, were allegedly destroyed. The hackers said they had obtained flight history databases, compromised all critical corporate systems, gained control of employees' personal computers, including management, and also "copied data from wiretapping servers" and from personnel surveillance and control systems.
The hackers estimated the amount of information received at 12 TB of databases. "All these resources are now unavailable or destroyed, and restoration will probably require tens of millions of dollars. The damage is strategic," the hackers themselves posted on the Telegram channel Silent Crow.
Aeroflot
Hackers claimed responsibility for hacking into Aeroflot's systems, they had access to the airline's corporate network for a year.
It is not the first time that the Russian-speaking hacker groups Silent Crow and Cyber Partisans BY have claimed responsibility for cyber attacks on Russian and Belarusian government IT systems. Silent Crow claims to have attacked over a hundred major companies. At the same time, hackers in 2025 do not list the names of these companies and the country of their affiliation. The group "Cyber Partisans BY" has been known since 2020 and was originally formed by opponents of the President of Belarus Alexander Lukashenko. After 2022, hackers began actively attacking Russian targets, including government agencies and industrial enterprises.
Against the background of flight cancellations due to a malfunction in the IT system, Aeroflot shares fell by almost 4%. As of 11:38 a.m. Moscow time, they were trading on the Moscow Stock Exchange (Mosbirzha) at 56.8 rubles apiece. At the close of trading on July 27, 2025, the share price was 58.91 rubles.
Despite the hackers' claims about the complete destruction of Aeroflot's IT infrastructure, check-in for most flights continues as normal, check-in and boarding are underway. Information security specialists are already working on troubleshooting, Aeroflot assured.
Aeroflot is Russia's largest aviation group, which includes Aeroflot, Rossiya and Pobeda airlines. In 2024, these three companies transported 55.3 million passengers, and their share in the Russian air transportation market was 42.3%. As of 2024, the route network of Aeroflot and Rossiya airlines comprised 248 scheduled destinations, while the Pobeda network covered 94 destinations.
According to Alexey Kozlov, a leading analyst at Speakatel's information security monitoring department, one of the possible reasons is insufficient access control and internal security. First of all, we are talking about monitoring the actions of insiders, network segmentation and centralized IT management systems. This could have allowed the attackers to remain unnoticed for months. Protection from APT groups is also important: regular audits, control at the user behavior level, multifactor authentication, monitoring of privileged actions, restriction of rights, and real-time command analysis are needed. "On average, recovery after a large–scale cyberattack, as we already know from situations with other large Russian companies, can take from several weeks to six months: one to two months are spent on restoring critical systems, the rest is spent on setting up protection, auditing, reviewing processes and regaining customer trust. Full stabilization can take up to a year if the IT infrastructure is destroyed and backups are unavailable," he added.