How Ukrainian and Belarusian hackers wreaked havoc on Russia’s flagship airline and exposed its role in the war
On the morning of July 28, 2025, all of Aeroflot’s information systems went down — from corporate email to passenger check-in. The outage forced hundreds of flight delays and cancellations, plunging Moscow’s Sheremetyevo Airport into chaos and affecting tens of thousands of passengers. Russia’s largest airline lost at least 260 million rubles ($3.3 million) from cancellations alone, and total damages are estimated in the tens of millions of dollars. The independent outlet The Bell recently published an investigation into who and what took out Aeroflot’s systems. Meduza summarizes its key findings.
The massive outage that struck Russia’s flagship airline in July was the result of a cyberattack. Two activist hacker groups — Silent Crow from Ukraine and Cyber Partisans from Belarus — infiltrated the network of Bakka Soft, a small tech company involved in developing Aeroflot’s mobile and web applications. From there, they gained remote administrative access to the airline’s infrastructure. At one point, the intruders triggered a process designed to wipe data from every workstation — roughly 10,000 computers.
The attackers’ attempt to “kill and erase the domain” largely succeeded: with no connection to the main corporate domain, fixed workstations (including airport check-in counters) demanded domain credentials on startup and stopped functioning. All of the airline’s automated processes came to a standstill.
You’re currently reading Meduza, the world’s largest independent Russian news outlet. Every day, we bring you essential coverage from Russia and beyond. Explore our reporting here and follow us wherever you get your news.
To prevent even more extensive damage, Aeroflot first cut off external communication channels at its offices, then began shutting power to entire floors.
Afterward, the hackers claimed to have obtained Aeroflot’s full flight history, compromised critical corporate systems, taken control of employee workstations — including those of senior management — and downloaded recordings of phone calls as well as data from video-surveillance and personnel-monitoring systems. They published screenshots from internal networks, audio from internal conversations, internal documents (including Aeroflot’s information security strategy), and more than three gigabytes of additional data — even pilots’ medical records.
Among the stolen materials, The Bell notes, were files related to the airline’s “non-commercial flights,” including a document signed by a Defense Ministry representative referencing military transport — despite Aeroflot’s public insistence that it’s strictly a civilian carrier with no role in the war.
For months after the attack, employees had to perform many tasks manually, such as assigning pilots to flights. In theory, data could be restored from backups, but in practice it was often unclear which backups were safe to use, since any might contain malware planted by the attackers.
The effort to restore Aeroflot’s systems and investigate the breach involved experts from several of the airline’s IT contractors as well as Russia’s Federal Security Service (FSB), Interior Ministry, and Investigative Committee. Publicly, Aeroflot attributed the outage only to “a malfunction in information systems,” and most employees were never told what happened.
According to The Bell, several major firms were responsible for Aeroflot’s cybersecurity, and the system turned out to have a great number of vulnerabilities. Some were inevitable given the scale of the network, but others were the result of systemic flaws.
The hackers’ presence in Bakka Soft’s network had actually been detected in January 2025 — six months before the Aeroflot outage. Although they were removed then, the company implemented no additional security measures, allowing them to return in May.
The fact that Aeroflot’s cybersecurity apparatus was disorganized even before the incident made things easier for the attackers. Responsibility for cybersecurity was split between the information security department and the office of the deputy CEO for IT and information security, each of which had its own budget and contractors.
Aeroflot spends significant funds on cybersecurity: in 2024, they spent 858.8 million rubles ($10.8 million). Its largest contractors are Bastion (co-founded by Boris Korolev, son of the head of the FSB’s economic security service), Solar (owned by Rostelecom), Kaspersky Lab, and BI.ZONE (part of Sber). Bastion, which plays the biggest role, handled the aftermath of the initial Bakka Soft breach in January.
Whether Aeroflot has revised its cybersecurity policies since the July attack remains unclear.