Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

7,000 servers wiped out! Silent Crow and Cyberpartisans BY devastate Aeroflot in a historic cyber raid.

Luca Stivali : 29 July 2025 07:39

While the West battles ransomware attacks and private companies invest in defensive security, on the other side of the digital front, the war is being played out asymmetrically. On July 28, 2025, Russia’s national airline Aeroflot was hit by a massive cyberattack claimed by pro-Ukrainian groups Silent Crow and Cyberpartisans BY, causing flight cancellations, a direct financial impact on the stock market, and – according to underground sources – the compromise and destruction of over 7,000 internal servers.

The attack represents one of the most devastating offensive operations suffered by Russian critical infrastructure since the beginning of the conflict with Ukraine.

The dynamics of the attack: a year of persistence and total compromise

According to the Telegram channel Hackmanac Cyber News and a post on the revamped BreachForums, the operation lasted over a year, during which the attackers maintained persistent access to Aeroflot’s systems until the destructive attack.

The result?

  • The complete deletion of7,000 servers (physical and virtual)
  • The exfiltration of 22 terabytes of sensitive data
  • 54 canceled flights on July 28 alone
  • Large-scale IT disruptions at Russian airports

But the exfiltrated data doesn’t just concern flight logistics: it includes flight history, employee devices, company emails, data from interception servers, and confidential top management files.

The groups involved: high intensity hacktivism

Silent Crow is a relatively new but very active group on the pro-Ukrainian cyberwarfare front. It has already claimed responsibility for attacks on Russian government institutions, IT companies, telecommunications companies, and insurance companies.

In this operation, it collaborated with Cyberpartisans BY, a Belarusian group known for its sabotage actions against the Lukashenko regime. Their stated goal is

“to liberate Belarus and help Ukraine in its fight against the occupier.”

Technical insight: What was really compromised?

The technical details published by the attackers provide an alarming snapshot of Aeroflot’s internal IT, which appears to be a critical but underdeveloped system, poorly protected and managed with superficiality.

Compromised infrastructure:

  • 122 hypervisors
  • 43 ZVIRT (Russian virtualization) environments
  • Approximately100 iLO interfacesfor server management Physical
  • 4 Proxmox clusters
  • Full access to thousands of VMs

Enterprise systems breached:

Attackers gained access to virtually all core systems:

  • Flight management (CREW, Saber)
  • ERP and CRM (1C, Sirax, SharePoint, KASUD)
  • Corporate email (Exchange)
  • Data Loss Control (DLP)
  • Surveillance and wiretapping systems
  • Staff endpoint devices, including the CEO

Data collected:

  • 12 TBof database (flight history, maintenance, passengers)
  • 8 TB from network file shares (internal folders)
  • 2 TB from email
  • Audio from interceptions and internal communications
  • Data fromstaff monitoring systems

According toThe Moscow Times, some of the critical systems were still running Windows XP, while the CEO hadn’t changed his password in over three years.

The message left by the attackers

The analysis published on the official CyberPartisans website contains a detailed report of the operation against Aeroflot, complete with screenshots, logs of malicious activity, and cross-references to the compromised systems. The released content also includes the message left by the attackers on the compromised terminals, a clear sign of the psychological and political nature of the attack.

The message, written in a combination of Russian, German, and English, reads:

According to the same sources, this message appeared on numerous corporate endpoints when the servers were wiped, demonstrating that the operation was not limited to data exfiltration, but also included a defacement and psychological warfare component.

Economic consequences and reputational damage

The reputational damage is just the tip of the iceberg:

  • Aeroflot shares lost 3.9% on the stock market
  • 54 flights canceled on the day of the attack alone
  • Disruptions and delays in flight operations and check-in
  • Potentialdiplomatic damagein case of public release of the exfiltrated 22 TB

Roskomnadzor has stated that there is currently no evidence of a personal data leak, but Silent Crow has threatened the publication if it does not receive media and political attention.

The attack on Aeroflot is not a simple cyber incident. It is a large-scale operation that combines espionage, sabotage, and psychological warfare. The level of compromise suggests not only a security breach, but also a veritable cultural bankruptcy in internal IT management.

In the midst of a hybrid war in which aviation is both symbol and infrastructure, hitting Aeroflot means hitting the identity and mobility of Russia itself.

Now it remains to be seen: what will those 22 TB contain? And how long will the Kremlin be able to keep them out of the public eye?

Sources:

Luca Stivali
Cyber Security Enthusiast and entrepreneur in the IT industry for 25 years, expert in network design and management of complex IT systems. Passion for a proactive approach to cyber security: understanding how and what to protect yourself from is crucial.

Lista degli articoli
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr