Aeroflot cyber attack 2025: lessons for EU airlines

Context and why it matters for aviation in the Baltics and EU

On 28 July 2025 Aeroflot publicly reported a failure in its information systems. Prosecutors in Russia reportedly opened a criminal case citing unauthorised access to computer information. Media reports noted dozens of cancellations on the day, with some outlets reporting more than 100 cancellations. The airline said its schedule had stabilised the following day. Figures differ by source, which is common in fast-moving incidents.

Two hacktivist groups, Silent Crow and the Belarusian Cyber Partisans, reportedly claimed responsibility. At the same time, Russia’s internet watchdog reportedly stated there was no confirmed data leak, even as samples purportedly linked to senior staff flight histories were posted by attackers. Verification remains disputed.

Why does this matter to aviation leaders in Estonia, the wider Baltics, and across the EU? Irrespective of geopolitics, airlines and airports operate large, hybrid IT estates, integrate with third-party platforms, and carry regulated personal data. A single identity lapse or architectural blind spot can produce disproportionate operational impact, reputational harm, and regulatory exposure. The Aeroflot episode is a reminder to validate the basics and test the worst-case.

Core topic explained without fluff

What it is and what it is not

Public reporting indicates an IT disruption reportedly attributed to a cyber attack, with hacktivist groups claiming long-term access and destructive actions. Aeroflot communications focused on restoring operations and reportedly stabilising the schedule within a day. This reads like a domain and identity-centric compromise with business systems affected.

It is not, based on what is publicly claimed, a direct compromise of flight safety systems. Hacktivists reportedly stated aviation safety was not targeted. That distinction matters. Business IT outages can still cascade into ground operations, crew scheduling, passenger rebooking, and loyalty platforms, yet they are different from airworthiness or avionics safety issues.

Timeline

1. July 28, 2025
   A major IT system failure at Aeroflot → 42–108 flights canceled, chaos at Sheremetyevo.
   Hackers Silent Crow and Cyber Partisans claim responsibility: they say they had been inside the network for over a year, destroyed about 7,000 servers, and stole up to 22 TB of data (flight records, correspondence, call recordings, employee data).
2. July 29, 2025
   Disruptions continue: another 53 flights canceled.
   Media publish the first reports about a “total hack” of Aeroflot’s IT infrastructure.
3. July 30, 2025
   Aeroflot announces that its flight schedule has stabilized (93% of flights operating). However, access to personal accounts on the website and in the mobile app remains unavailable (“maintenance work”).
4. July 31, 2025
   Debate continues over the scale of the damage: experts estimate recovery could take up to six months, with losses reaching $50 million.
5. August 5, 2025
   Aeroflot confirms: the “Aeroflot Bonus” system and personal accounts are still unavailable.

Typical weak points or failure modes

• Stale or shared privileged credentials, including unchanged executive passwords and legacy service accounts.
• Flat or loosely segmented networks where identity compromise pivots quickly into core apps like crew, ERP, email, and document stores.
• Legacy platforms and end-of-support systems that linger for operational reasons and expand the attack surface.
• Over-reliance on a single identity provider without robust conditional access, MFA coverage, and privileged access workstations.
• Backups that exist but cannot be restored rapidly, or that lack immutability and off-line copies.
• Third-party interdependencies, including booking platforms and loyalty systems, where failures ripple outward. Prior attacks against Russia’s Leonardo booking platform illustrate how shared services become choke points.
  

Practical playbook

Step-by-step actions

1) Lock down identity fast.

Force rotation of all administrative and service credentials. Disable non-compliant accounts. Enforce phishing-resistant MFA for every admin and for high-risk user groups such as crew operations, finance, and IT. Introduce step-up verification for access to crew, ERP, and email. Privileged Access Management (PAM) should be mandatory for Tier-0 operations.

2) Contain by design, not by luck.

If the network is flat, segment it now. Carve out bastions for identity, messaging, crew, payment, and document management. Apply deny-by-default ACLs between segments. Ensure SOC visibility on inter-segment flows before re-enabling any disabled services.

3) Prove your backups work under fire.

Run an immediate restore test for core systems: identity, email, ERP, crew, CRM, loyalty. Target Recovery Time Objectives that keep airport operations viable. Validate offline, immutable copies and ensure restore paths do not rely on the compromised domain.

4) Clean and rebuild what matters.

For endpoints and servers in high-risk domains, prefer rebuilds over ad hoc cleaning. Golden images must be signed and stored off-domain. Reissue device certificates and rotate secrets embedded in infrastructure code.

5) Stabilise operations and communicate.

Your customers, partners, and regulators need clarity. Publish plain-language FAQs on delays, refunds, rebookings, and loyalty points. Keep messages neutral and factual, mirroring the caution seen in public reporting around the Aeroflot case.

6) Hunt for persistence.

Assume living-off-the-land. Task threat hunters to examine identity token misuse, anomalous OAuth consent, rogue service principals, and scheduled tasks. Inspect management interfaces like hypervisors and out-of-band controllers.

7) Close the gaps that allowed initial access.

If the reported patterns hold, compromise frequently starts with weak credentials and legacy platforms. Put executive accounts and legacy systems at the front of the remediation queue.

Quick wins for the next 14 days

Enforce MFA coverage to 100 percent for admins and 95 percent for staff. Block legacy authentication. Implement conditional access by risk and device health. Review all break-glass accounts. Snapshot and lock critical SaaS audit logs. Freeze non-essential change windows until the environment is re-baselined.

Longer-term moves for the next 90 days

Segment identity tiers. Introduce PAM with just-in-time elevation. Adopt immutable backups and quarterly restore tests. Replace end-of-support systems that sit in critical paths. Run a full red team or scenario-based penetration test emulating a long-dwell adversary with destructive objectives.

Tooling and process integration

Focus on categories, not brands.

Identity and access: Conditional access, MFA, PAM, identity threat detection, just-in-time elevation, and strong password hygiene for executives and service accounts.

Endpoint and server: EDR with behavioural prevention, rapid reimaging capability, and application allow-listing for high-trust zones.

Network and segmentation: Micro-segmentation between identity, messaging, crew, ERP, and loyalty. Strict egress controls from Tier-0 and management networks.

Backup and recovery: Immutable storage, off-line copies, and rehearsed restore runbooks. Measure restore rates, not only backup success.

Monitoring and response: Centralised logging with immutable retention. Playbooks for credential reset at scale, emergency CA rotation, and SaaS incident scopes.

Third-party assurance: Booking, payment, baggage, and loyalty vendors should attest to backup and segmentation patterns. Past incidents involving booking platforms show how shared dependencies magnify impact.

Measurement and governance

Metrics and thresholds

• Mean time to detect identity misuse: target under 60 minutes for admin accounts, under 4 hours for standard users.
• Mean time to revoke tokens and reissue credentials: under 2 hours for critical apps.
• MFA coverage: 100 percent for admins, at least 95 percent for staff, 100 percent for remote access.
• Backup restore success: demonstrate recovery of identity, email, and ERP within business RTOs. Test quarterly.
• Segmentation drift: zero unauthorised flows between identity tier and business apps in monthly audits.
• Legacy risk reduction: eliminate end-of-support systems from critical paths within 90 days of identification.
  

Roles and accountability

Board and CEO: Approve a resilience-first plan, fund identity, backup, and segmentation work, and set risk appetite.

CISO: Owns the incident playbook, red teams the environment, and reports metrics. Coordinates investigations that remain neutral and factual, mirroring the caution used in public sources.

CIO and operations: Deliver rebuild at scale, reimage, and restore.

Head of ground operations and customer care: Align airport workflows with staged service restoration.

Legal and data protection: Manage regulator notifications under NIS2 and GDPR where applicable.

Communications: Maintain transparent, neutral updates without overstating confirmations.

Regional and regulatory considerations

Airlines and airports operating in Estonia and the wider EU fall under NIS2 obligations for essential and important entities. That increases expectations for incident response, supply chain risk management, and resilience testing. Where personal data is involved, GDPR notification duties apply, but only after a facts-based assessment. When reporting is in dispute, as seen in public commentary around this incident, keep statements tightly sourced and avoid definitive phrasing until forensics conclude.

How Cybertex Security can help

Cybertex Security works with aviation and travel operators across the Baltics and EU to test real-world failure modes and close the gaps that matter.

• Scenario-driven Penetration Testing to emulate long-dwell, identity-led adversaries who aim to disrupt operations rather than only exfiltrate data.
• Board-level guidance through CISO-as-a-Service to prioritise identity hygiene, segmentation, and backup integrity.
• Independent Security Assessment to benchmark resilience against practical attack paths seen in recent airline incidents.

Client-style scenario

A regional carrier operating across the Baltics needed confidence that a compromise of staff email and crew systems would not cascade into check-in and loyalty. We executed a multi-stage penetration test that started with identity, moved laterally through legacy scheduling, then attempted destructive actions against virtualisation management. The result was a set of segmented controls, faster credential rotation, and a tested restore plan that reduced recovery time by days.

Ready to pressure-test your environment the way adversaries reportedly operate? Start with our Penetration Testing service or contact us via Contact.