Aeroflot’s July Cyberattack Likely Stemmed from Supply-Chain Breach via Bakka Soft
In late July, Russia’s flagship airline, Aeroflot, suffered a major cyberattack that disrupted operations and grounded dozens of flights. The Kremlin acknowledged the incident, while two hacktivist groups—Ukrainian-linked Silent Crow and Belarusian Cyberpartisans—claimed responsibility.
New reporting from Russian outlet The Bell suggests the attack was a supply-chain breach, originating from Bakka Soft, a Moscow-based software developer with access to Aeroflot’s IT network. The company had worked on the airline’s iOS apps and quality management systems. According to sources close to the investigation, attackers exploited a vulnerability left unaddressed since January, when suspicious activity was first detected. Aeroflot reportedly failed to implement two-factor authentication (2FA) or revoke Bakka Soft’s access, allowing attackers to deploy over two dozen malware tools and establish persistence.
The attack led to over 100 canceled flights, tens of thousands of stranded passengers, and direct losses of at least $3.3 million. Total damages are estimated in the tens of millions. Neither Bakka Soft nor the hacktivist groups have confirmed the breach method.
The Bell’s report remains unverified, and the outlet—founded in 2017 by Russian journalists—has been labeled a "foreign agent" by the Russian government, complicating independent validation. The designation imposes legal and operational restrictions, often targeting media critical of the state.
Source: https://www.techradar.com/pro/security/russian-airline-hack-came-through-third-party-tech-vendor
Information Design cybersecurity rating report: https://www.rankiteo.com/company/information-design-one-ag
"id": "INF1765483620",
"linkid": "information-design-one-ag",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Tens of thousands of passengers',
'industry': 'Aviation/Transportation',
'location': 'Russia',
'name': 'Aeroflot',
'size': 'Large (flagship airline)',
'type': 'Airline'}],
'attack_vector': 'Third-party software developer (Bakka Soft)',
'date_detected': '2023-07',
'date_publicly_disclosed': '2023-07',
'description': 'Attackers exploited months-old access, lacking 2FA, to deploy '
"extensive malware and disrupt Aeroflot's flights. The "
'incident was allegedly a supply-chain attack via Bakka Soft, '
"a Moscow-based software developer with access to Aeroflot's "
'IT network. The attack resulted in grounded flights, stranded '
'passengers, and financial losses amounting to tens of '
'millions of dollars.',
'impact': {'brand_reputation_impact': 'Likely significant (disruption of '
'flagship airline operations)',
'financial_loss': 'Tens of millions of dollars',
'operational_impact': 'Over 100 grounded flights, tens of '
'thousands of passengers stranded',
'revenue_loss': '$3.3 million (flight cancellations)',
'systems_affected': 'Aeroflot’s IT network, iOS apps, quality '
'management systems'},
'initial_access_broker': {'backdoors_established': 'Yes (persistent access)',
'entry_point': 'Bakka Soft (third-party developer)',
'high_value_targets': 'Aeroflot’s IT network, iOS '
'apps, quality management '
'systems',
'reconnaissance_period': 'January 2023 (suspicious '
'activity detected)'},
'investigation_status': 'Ongoing (unverified report)',
'lessons_learned': 'Lack of 2FA and persistent third-party access can lead to '
'supply-chain attacks. Early detection of suspicious '
'activity is critical to prevent escalation.',
'motivation': 'Hacktivism (political/geopolitical)',
'post_incident_analysis': {'root_causes': ['Lack of 2FA for third-party '
'access',
'Persistent access granted to '
'Bakka Soft without adequate '
'monitoring',
'Failure to act on early signs of '
'suspicious activity (January '
'2023)']},
'recommendations': ['Implement multi-factor authentication (MFA/2FA) for all '
'third-party access',
'Monitor and audit third-party vendor access to critical '
'infrastructure',
'Enhance detection capabilities for suspicious activity',
'Segment networks to limit lateral movement',
'Conduct regular security assessments of third-party '
'vendors'],
'references': [{'source': 'The Bell'},
{'source': 'The Record'},
{'source': 'TechRadar'}],
'threat_actor': ['Silent Crow', 'Cyberpartisans'],
'title': 'Aeroflot July Outage - Supply-Chain Attack via Bakka Soft',
'type': 'Supply-Chain Attack',
'vulnerability_exploited': 'Lack of two-factor authentication (2FA), '
'persistent access to Aeroflot’s infrastructure'}