On the morning of July 28, 2025, Aeroflot was the victim of a cyberattack. Central booking, dispatch and crew‑planning systems fell silent, forcing staff at Sheremetyevo to revert to paper manifests. The airline canceled 54 round-trip flights on that day, causing delays on routes operated by its subsidiaries Rossiya and Pobeda, as well as on flights to Belarus, Armenia and Uzbekistan.
Why this matters in Moscow’s hybrid war
Ukrainian Silent Crow and the Belarusian Cyber Partisans, two openly pro‑Ukraine hackers collectives, claim the incident was the culmination of a year‑long penetration intended to “strike a national symbol without endangering air safety.” Their release argue that paralyzing the flag carrier undermines Kremlin narratives of cyber‑resilience and diverts domestic security resources from the Ukrainian front. Russian lawmakers echoed that concern, branding the outage a “wake‑up call” while the Kremlin conceded the episode was “alarming,” a rare public acknowledgment that the digital campaign against Russia is hitting prestige targets at home.
Beyond reputational damage, the attack exposes a broader vulnerability: Russia’s transport sector remains heavily reliant on legacy Western that sanctions complicate the patching and replacement of IT systems. Analysts in Moscow warn that the same techniques could cascade into rail, energy or logistics nodes that support wartime mobilization, amplifying the strategic effect without firing a shot.
What we know about the tactics used
Silent Crow and Cyber Partisans claim to have spent twelve months inside Aeroflot’s network before launching the attack that rendered approximately 7,000 servers unusable.
The hackers claim that the CEO’s password dated back to 2022 and that dozens of machines were running unsupported versions of Windows XP/Server 2003, vulnerabilities that enabled the attack.
Aeroflot says 93% of flights are now running, yet the incident has already shown that a patient, non‑state crew with modest tools can translate long dwell‑time into an outsized operational punch evidence that, in today’s conflict, the most damaging strike on a national asset may arrive not from drones or missiles but from a forgotten admin password deep inside the network.
