Russia’s prosecutor’s office on Monday launched a criminal investigation into a massive pro-Ukrainian cyberattack against Russia’s Aeroflot which Anton Gorelkin, a senior member of the State Duma, said was a “much-needed wake-up call,” adding “… the war against our country is being waged on all fronts, including the digital one.” He demanded immediate action to reinforce the country’s cyber defenses.
The pro-Ukrainian Silent Crow hacking group claimed responsibility on its Telegram channel, saying the attack had been supported by the Belarusian Cyberpartisans group. It claimed it had not only “taken down” Aeroflot’s system but had completely destroyed the company’s entire internal IT infrastructure.
The hackers said their operation had been a year in preparation during which time they had infiltrated every corner of the system in preparation for their sabotage attack – its post giving a detailed technical breakdown of its activities inside the network.
As a result, it said it had deprived Aeroflot of access to around 7,000 servers that host the entire company infrastructure including the client database and corporate flight services. They claimed to have also downloaded, encrypted and deleted around 20 terabytes of information which included the flight history of Aeroflot customers.
As a result of the attack, which were timed to hit the peak of Russia’s holiday season, chaos ensued at the Sheremetyevo, Vnukovo, and Krasnoyarsk airports, with many flights seriously delayed or simply cancelled.
Pro-Kyiv blogger Alexander Nevzorov said, somewhat sarcastically, that “[Russian] citizens waited in kilometer-long immovable queues – speechless, motherless and perhaps even happy that their suffering is their personal contribution to the ‘SVO’” – Russia’s term for its 2022 full-scale invasion of Ukraine.
Without acknowledging the scale of the damage, a Kremlin spokesperson on Monday acknowledged the fact of the cyber assault, and called it “worrying.”
Who are Silent Crow and Cyberpartisans?
Ukrainian hackers have carried out several high-profile cyberattacks over the past three years aimed at Russia’s government ministries including its Crimean-based authorities, businesses linked to its military, energy suppliers, national and regional internet and telecoms services, Russia’s courts and its rail network.
In most cases these attacks have been “sponsored” or at least claimed by Ukraine’s intelligence agencies, but on this occasion none of Kyiv’s special services have so far taken responsibility.
According to its Telegram channel, Silent Crow was formed at the end of 2024. Its activities have attracted the anger of Moscow’s authorities which have forced the closure of its social media channels on four occasions. Its current channel is called “silent crow_reborn.”
The group claimed its first successful cyberattack in January against Russia’s Rosreestr real estate registry gaining access to and compromising around 2 billion records.
Later that month the group claimed responsibility for an attack on Rostelecom, after accessing the IT systems of one of its contractors, during which it leaked customer information although the company claimed that no sensitive data was stolen.
In February Silent Crow said it had accessed “DIT” – the central database of citizens of Moscow and the Moscow Region – and published 10 million, out of a total of the 30 million records it claimed to have dumped.
The Cyberpartisans group was formed in 2022 shortly after the full-scale invasion of Ukraine and describe themselves as a “highly organized hacktivist collective that is fighting for the liberation of Belarus from dictatorial rule.”
In March, Silent Crow claimed another attack in partnership with the Cyberpartisans group, this time against Russia’s National Cyber Incident Response Team (CERT). In its Telegram post it happily declared that Silent Crow had “struck at the very heart of the regime’s cyber defense” and that CERT is “The very body that is supposed to stand against people like us [hackers]. It [Moscow] says it is ‘a bastion of cybersecurity’ – in reality, it is an open gateway.”
Silent Crow claimed to have obtained access to CERT’s complete databases, e-mail servers, “and many other interesting materials that you will learn about very soon.” To prove the veracity of its claims, Silent Crow published a link to the cyber-guardians’ website and source code and invited readers to download it adding: “If you find interesting information there, please share it.”
They ended the post by saying “there has been no news from us for a while... We continue to work... Very soon you will see results that speak for themselves.
On July 20, Silent Crow said it had gained access to Moscow’s Unified Medical Information and Analytical System (EMIAS), took administrative control , downloaded 17 TB of data relating to patients and medical staff before disabling access to and deleting it as well as the backup data storage.
All this before claiming responsibility for Monday’s attack on Aeroflot, the damage caused could take six months to a year to sort out and cost the company as much as $50 million in lost revenue according to several Russian IT security experts.
Silent Crow categorized the operation as a direct message to Russia’s “so-called ‘cyber defenders’ – you are incapable of protecting even your key infrastructures. To all employees of the repressive apparatus — your digital security is negligible, and you yourselves have long been under surveillance.”
The group signed off with the words “Glory to Ukraine! Long live Belarus!”
BBC comments on the Aeroflot attack and other cyber operations was skeptical of their actual value saying: “… their boasts about various cyber-attacks are [rarely] backed up with facts. These gangs are often run by volunteers who target organizations and exaggerate their attacks to make headlines and degrade enemy morale.”
Nevzarov did not share that view of the success of the Aeroflot and other attacks. He wrote: “One way or another, such paralysis turned out to be even more effective and cheaper than drone attacks.
“In addition to transport, pension, energy, postal and other structures will be next in line. They are also tightly interwoven with computer connections that are also completely vulnerable which [our] hackers will still stretch to the fullest, watching the collapse of each of them in turn.”