Critical Infrastructure Security,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Aeroflot Targeted by Belarusian Hackers Using Wiper Malware
Aeroflot, Russia’s state-owned airline, has canceled numerous flights following a cyberattack attributed to a Belarusian hacking collective. The group, known as Silent Crow, announced its successful infiltration and subsequent destruction of the airline’s IT infrastructure, resulting in operational disruptions.
Aeroflot reported that the challenges stemmed from an IT infrastructure failure rather than a mere technical glitch. The Russian Office of the Prosecutor General has initiated a criminal investigation, categorizing the incident as a coordinated cyber assault. The hacktivist group claims to have compromised around 7,000 servers, both physical and virtual, wiping out over 22 terabytes of critical data, including emails and databases.
By noon local time, Aeroflot had to cancel 47 flights out of 123 scheduled at Moscow’s Sheremetyevo International Airport. Despite ongoing Western sanctions, air travel demand within Russia remains substantial, with Aeroflot Group reporting significant passenger numbers last year, securing a dominant position in the local market.
Silent Crow alleges they first accessed Aeroflot’s systems a year prior and subsequently expanded this access to various critical systems including SharePoint and Exchange. Furthermore, they have claimed to have harvested sensitive customer data with intentions to publicly disclose this information.
The group detailed their claim, stating that they had accessed numerous server management interfaces and destroyed a large number of servers, claiming to have acquired a hefty volume of data. Their declaration included a political statement emphasizing their motivations in the context of the ongoing conflict between Ukraine and Russia.
In addition to disrupting Aeroflot, Silent Crow has historical ties to other attacks against Russian entities, showcasing a pattern of targeting critical infrastructure. Their previous hacks include breaches into major telecommunication providers and government databases, resulting in significant data leaks. The group reportedly rebranded from a former hacking collective that targeted Russian governmental bodies.
The cyber activities of Silent Crow align with several tactics outlined in the MITRE ATT&CK framework, particularly under initial access, where adversaries exploit vulnerabilities or utilize phishing techniques to infiltrate networks. The use of wiper malware indicates a targeted strategy for data destruction and disruption. By employing advanced intrusion tactics and leveraging political motivations, the group exemplifies the evolving landscape of cyber threats associated with state-sponsored aggression.
The situation poses significant implications for the aviation sector and raises alarms about the resilience of critical infrastructures. As businesses globally evaluate their cybersecurity strategies, this incident serves as a stark reminder of the persistent threat posed by cyber actors motivated by geopolitical conflicts.
