A pro-Ukraine “hacktivist” group calling itself Silent Crow has taken credit for a disruptive cyber attack that forced Russian airline Aeroflot to ground some of its flights and delay others by hours on July 28 and 29.
The airline canceled 54 of its 260 scheduled flights for the day due to the cyber attack, and an undetermined number of others experienced some amount of delay. 22 outbound flights from Moscow were subsequently canceled the following day, along with 31 incoming flights operated by subsidiary Rossiya Airlines. Senior Russian lawmaker Anton Gorelkin implied in a statement to the media that Silent Crow might be “in the service of unfriendly states,” but thus far little is known for certain about the group.
Aeroflot cyber attack timed during typical Russian holiday period
Silent Crow has been in operation since at least late 2024, when it created a public Telegram channel taking credit for a series of cyber attacks that had taken place in Russia. Since then it has been tied to the January breach of Russia’s Federal Service for State Registration, which involved a leak of about two billion records including SNILS numbers (used for social security and pension contributions) for as many as 90,000 citizens. The group has since claimed responsibility for attacks on an assortment of high-profile targets in the country including Rostelecom, Moscow’s Department of Information Technologies, Alfa Bank, and Kia Russia among others. In each case the attackers do not demand a ransom, but simply exfiltrate some sort of sensitive data and immediately leak it to the public.
The group’s actual composition remains unclear, but some Russia-based security researchers have observed connections with a spate of pro-Ukraine hacking groups that sprung up in mid-2022 not long after the war began. Silent Crow has said that it focuses on critical infrastructure targets, with the intent to expose weaknesses and exert pressure on the Russian government. It has a public partnership with another hacktivist group called Belarusian Cyberpartisans, and has made statements calling for the “liberation” of Belarus from the present strongly Russia-aligned government. There remains no clear evidence that the Ukrainian or any other governments are involved in supporting it.
For its part, Aeroflot has thus far only referred to the cyber attack as a “failure of its information systems” and has not made any confirmation of ransomware or data theft. Both Ukrainian and Russian hackers have been known to use destructive ransomware attacks against each other during the war, of a type that is not meant to be unlocked and involves no demands for payment. Silent Crow claims that they destroyed some 7,000 Aeroflot servers during the course of the cyber attack, which if true would point to the deployment of ransomware. The group also claims that it compromised the personal computers of senior management employees and is in possession of the personal data of “every Russian who has ever flown Aeroflot,” and is threatening to release this information along with internal emails and messages.
The cyber attack landed on the Day of the Baptism of Rus, a national holiday, and just a day after the annual Navy Day celebrations that are observed as a military holiday accompanied by a presidential fleet inspection and a major parade.
Passengers note extended period of system downtime
Throughout the day of the cyber attack, Aeroflot customers took to online forums to report that they were unable to log into rewards accounts (apparently restricted temporarily as a precaution) and also could not access the ticket refund system. As of July 29 Aeroflot reported that it had stabilized its internal systems, despite having to cancel dozens of additional flights for the day. A Cyber Partisans hacker has claimed that Aeroflot has reverted to using manual systems to keep its business running during the outage, something likely to be costing it massive amounts of money if true.
Disruptions of flights into and out of Russia have become common in recent months, but until now it was due much more to drones than to cyber attacks. Repeated drone strikes by Ukraine have focused on Russia’s airports, and not just military targets. In total there have already been hundreds of flight delays thus far this year due to attacks related to the war, with a particularly big drone attack in early July cancelling scores of flights at all of Moscow’s major airports.
And though there is not yet evidence that Silent Crow is part of this, the state-backed cyber war between the two countries has remained hot over three years into the war. Both sides heavily target each other’s critical infrastructure, and Russia has repeatedly tried to block Ukraine from using the Starlink satellite communication system. As of July 30 another wave of cyber attacks has hit Russian pharmacies and forced hundreds to shut down, but this attack has not yet been attributed to Silent Crow as of this writing.
Steve Povolny, Senior Director of Security Research at Exabeam, notes that this represents an unusual period of Russia being on the cyber back foot: “The cyber‑attack on Aeroflot demonstrates the tremendous scale and impact that successful cyber operations can have, especially when they occur during an active armed conflict. For over a year, pro‑Ukraine actor Silent Crow allegedly infiltrated Aeroflot’s network, stole terabytes of data, and physically destroyed thousands of servers. That caused cancellations of somewhere between 40 and over 100 flights in a single day, stranding hundreds of passengers and inflicting tens of millions in operational and reputational damage. This incident is among the most disruptive cyberattacks Russia has experienced since Ukraine’s full‑scale invasion in February 2022. In physical‑war terms, this mirrors kinetic sabotage – like disrupting critical aviation hubs – without a single bomb dropped. In comparison, earlier Russian cyber campaigns have focused more on infrastructure denial and economic disruption. The 2015 Ukraine blackout, attributed to Russia’s Sandworm group, knocked out electricity for roughly 230,000 consumers for several hours using KillDisk malware and SCADA manipulation. In 2023, the Kyivstar telecom attack disrupted internet and mobile service for millions in Ukraine, including air‑raid alert systems, and cost some $90 million to recover. By contrast the Aeroflot strike combined deep covert infiltration, physical destruction of servers, and cascading service failure affecting both domestic and international travel. It represents a new level of cyber impact in war operations – shutting down civilian mobility while sending a broader psychological message.”
“It’s important to recognize how the threat has evolved: actors are blending espionage, sabotage, and data destruction to undermine national resilience. From a security leader’s perspective, the Aeroflot attack reinforces the need for continuous threat hunting, network segmentation, disaster recovery planning, and collaboration across industry and government to defend critical civilian systems during wartime,” advised Povolny.
