Hackers Allegedly Destroy Aeroflot’s IT Infrastructure

The attackers assert they achieved deep access to critical systems, from booking engines to executive email, by penetrating the network in mid-2024, reportedly using targeted phishing and zero-day exploits. This persistent access eventually escalated to “Tier-0 domain controllers,” giving them full administrative control over essential platforms like Sirax, SharePoint, Exchange, CRM, and ERP.

The claimed culmination of the operation, which they termed a “strategic strike,” was the erasure or “bricking” of approximately 7,000 physical and virtual servers on July 27, 2025. This was coupled with the theft of over 20 TB of sensitive data, including flight logs, passenger records, and internal communications. Screenshots allegedly showing Active Directory folders were posted on Telegram as proof.

The Consequences

• On Monday morning, Aeroflot cited an “information-system failure” as it was forced to cancel 49 domestic and regional flights out of Moscow’s Sheremetyevo Airport, causing terminals to be overrun with stranded passengers.
• The disruption has caused Aeroflot’s stock price on the Moscow Exchange to drop by over 4%.
• Russia’s Prosecutor General has initiated a criminal investigation into “unauthorised access,” confirming the severity of the cyber-attack. Kremlin spokesperson Dmitry Peskov labeled the situation “quite alarming.”
• Cybersecurity analysts estimate that rebuilding the airline’s digital infrastructure could take months and cost “tens of millions of dollars,” marking a significant operational and symbolic blow in the context of the Russo-Ukrainian conflict.

The hackers have since threatened to release the stolen personal data of Aeroflot passengers. If confirmed, this leak would expose millions of customer records and escalate the geopolitical tensions surrounding the incident.