By Alexander Marrow and Gleb Stolyarov
(Reuters) -Russian airline Aeroflot cancelled dozens more flights on Tuesday but said it had now stabilised its schedule after a major cyberattack a day earlier, and the transport ministry said the issue had been resolved.
Two pro-Ukraine hacking groups claimed on Monday to have carried out a year-long operation to penetrate Aeroflot’s network. They said they had crippled 7,000 servers, extracted data on passengers and employees and gained control over the personal computers of staff, including senior managers.
Aeroflot’s online timetable showed about 25 flights out of Moscow’s Sheremetyevo airport had been cancelled on Tuesday, mostly overnight and through the morning. Nearly all afternoon and evening flights were due to take off, though dozens were delayed.
Interfax news agency said 31 inbound flights to the capital had been cancelled.
Aeroflot said it had “stabilised” its flight programme. The transport ministry said in a statement: “Thanks to the efforts of Aeroflot employees, with the active support of Sheremetyevo services, the problem that arose was resolved in the shortest possible time.”
The ministry described the issue as “a failure in the IT infrastructure”. It did not refer to it as a cyberattack, although prosecutors have said they are investigating it as such.
Responsibility was claimed by the Belarusian Cyber Partisans, a long-established group that opposes President Alexander Lukashenko, and by a more shadowy and recent hacking outfit that calls itself Silent Crow.
‘SAVING FACE’
Yuliana Shemetovets, a spokesperson for the Cyber Partisans, said Aeroflot was likely working with costly manual systems in order to maintain the appearance of business as usual. The ministry statement said there had been a “transition to domestic systems”.
“Without IT systems the company can work manually like in the old days when flight tickets cost more than $1K,” Shemetovets told Reuters. “It would just be unprofitable, meaning the company would keep sustaining losses just to save face.”
She said that Aeroflot’s CEO had not changed his password since 2022 and that the company was using an outdated version of Windows software. Some workers had passwords saved in a Word document on their computers, she added.
Reuters could not independently confirm those details and has approached Aeroflot for comment.
Aeroflot’s shares were up 1.36% on Tuesday, recovering some ground after slumping to their lowest mark since late 2024 on Monday.
Russian lawmakers said the cyberattack was a wake-up call and that investigators should focus not only on the perpetrators but on those who had allowed it to happen.
Mikhail Klimarev, director of the Internet Protection Society, a Russian digital rights group, said it was a serious episode that showed cybercriminals were learning “best practice” from around the world while Russian companies were hampered in their response because of sanctions.
“It’s like with viruses: If you don’t communicate with people who have the flu, you have no immunity,” he told Reuters.
Klimarev said Russian security services had dropped the ball, and the incident highlighted a failure of the technical systems that are meant to allow them to counter such threats.
He said there was a grave safety risk as the hackers could hypothetically have exploited their access to Aeroflot systems in order to change data and cause planes to crash.
(Additional reporting and writing by Mark Trevelyan; editing by Mark Heinrich)
