Escalation in Cyberspace: What the Aeroflot Attack Reveals

By Oleg Shakirov, Visiting Scholar at the Fletcher School

The cyberattack on Aeroflot highlighted the vulnerability of modern infrastructure, which only worsens when the internet becomes a front in an international conflict. At the same time, notes Oleg Shakirov, a graduate student at Johns Hopkins University and the author of the “Cyberwar” Telegram channel, international practice has yet to develop models that allow states or associated hacker groups to guarantee non-attacks online.

Attack on schedule

On July 28, Aeroflot announced a “schedule adjustment” due to a failure in its information systems. Over the course of 24 hours, the airline canceled or delayed 42% of its flights , including 54 return flights from Moscow. The impact of the failure was felt at Sheremetyevo Airport, where a large crowd of passengers congregated in the first hours after the incident.

Although Aeroflot is not disclosing details, the collapse was apparently caused by a cyberattack. Initially, two hacker groups claimed responsibility for the breach: the Belarusian Cyberpartisans and the pro-Ukrainian Silent Crow. The Prosecutor General’s Office then officially blamed the outage on a hacker attack and opened a case under Article 272 of the Criminal Code, which deals with unauthorized access to computer information.

Aeroflot managed to stabilize its schedule relatively quickly. By Tuesday, July 29, the company reported operating all scheduled flights. Full restoration of the airline’s digital infrastructure will likely take significantly longer. Meanwhile, the incident resulted in losses due to flight cancellations and delays, and negatively impacted Aeroflot’s share price. Furthermore, it could have legal consequences for the company if law enforcement authorities deem its anti-hacker measures insufficient.

Given Aeroflot’s central role in Russian civil aviation and the seriousness of its consequences, this cyberattack can be considered one of the largest in recent years. Its lessons should be considered not only from an information security perspective but also through the lens of international politics.

Inevitable vulnerability

For now, outside observers can only speculate about how exactly the attack on Aeroflot was carried out. The airline itself remains completely silent. The “Cyber ​​Partisans BY” group claimed the attack was made possible by the airline’s employees’ neglect of basic password security and the use of outdated versions of Windows operating systems in its infrastructure. However, the attackers’ claims should be treated with caution.

The success of a cyberattack and the extent of the damage it causes depend on technical, organizational, and human factors. It is virtually impossible to completely rule out errors or abuses that could be exploited by attackers, especially in a large, multi-faceted organization with a diverse infrastructure.

The Aeroflot case is significant in that the hacker’s target this time was a company that had seemingly spared no expense on digital security. According to its June sustainability report , Aeroflot invested nearly 860 million rubles in cybersecurity last year. The company invested in protection against both mass and targeted attacks and also contracted for an external comprehensive audit of its measures. Furthermore, Aeroflot was actively pursuing software import substitution—a requirement for critical information infrastructure operators, among other things, for security reasons.

If even with such an exemplary approach—at least on paper—the airline remains vulnerable to attackers, what can we say about other, less well-off and less cyber-aware organizations?

There’s a popular belief among information security experts that the attacker inevitably has an advantage over the defender: to prevent a hack, defenses must always be 100% effective, while a single successful attack is enough for an attacker.

If complete protection is impossible, how best to prioritize? In recent years, the Ministry of Digital Development and Communications and some industry representatives have promoted an approach built around the concept of an “unacceptable event”—one that disrupts an organization’s operations or leads to catastrophic consequences. What constitutes unacceptable is up to each individual to determine. The attack on Aeroflot provides an excellent illustration of this approach. Flight cancellations are clearly more unacceptable for the carrier than non-functioning passenger loyalty cards. Equally important is how quickly an organization can restore operations after an incident. Aeroflot was able to avoid a prolonged collapse, likely in part due to its incident response training.

The example of the cyberattack that disrupted air travel across the country, as well as numerous other incidents with material consequences, should motivate Russian companies to take information security more seriously. However, discussing this solely in organizational and technical terms without considering the international political context is pointless. 

The logic of cyberwar

Cyberwarfare has been a subject of debate among researchers for many years, and there is no universally accepted definition. However, from a practical standpoint, there is no doubt that a significant portion of cyberattacks on Russian—as well as Ukrainian—organizations are carried out within the context of military logic. The vulnerability of potential targets is exacerbated by the fact that they are targeted by highly motivated and experienced attackers.

Adversaries’ cyber activities can pursue various goals: espionage, disruption of the ability to conduct combat operations or produce weapons and military equipment, theft of funds, and information manipulation. Attacks like the one on Aeroflot, according to the attackers, are aimed at increasing costs for the victim companies and the Russian economy as a whole. Furthermore, they are accompanied by media activity, meaning they are also aimed at influencing public opinion.

A distinctive feature of cyberwarfare is the diverse composition of its participants. These range from intelligence agencies—the Main Intelligence Directorate of the Ukrainian Ministry of Defense has officially claimed responsibility for some cyberattacks on Russia —to groups and individual hackers with less formal affiliations with government agencies, or none at all.

The diversity of participants is also reflected in the choice of targets. Some victims may be targeted almost by accident, simply because hackers were able to gain access to their infrastructure through a vulnerability in popular software.

However, the most damaging attacks are on organizations that are central to their respective industries, on services with a large customer base, or on those that support the business processes of other companies. In this sense, transportation is clearly an attractive target for attackers. Previously, Ukrainian cyberattacks targeted Russian Railways and the  Leonardo ticket booking system . In Ukraine, one of the most significant cyberattacks of 2025 was the disruption of the infrastructure of Ukrainian Railways—the main mode of transport under closed skies. Other infrastructure sectors, such as banking, energy, communications, information technology, and government services, are of interest to attackers for similar reasons.

Therefore, it makes sense to consider individual attacks in the overall context of the conflict. Although the cyberattack situation in Russia is rhetorically recognized as an emergency, in practice, countering them is carried out not according to the national defense model, but by the efforts of each individual organization.

Yes, the state has tools to help defend against hacker groups, including the State System for Detection, Prevention, and Mitigation of Consequences of Computer Attacks (GosSOPKA), the FSTEC vulnerability reporting system, and the National DDoS Attack Countermeasures System launched last year. However, the state primarily acts as a regulator, not a protector, and Russia is not much different from most countries in this regard. Nevertheless, this means that the responsibility for protecting against cyberwarfare ultimately rests with companies.

While ensuring the information security of individual organizations requires them to take adequate technical and organizational measures, addressing cyberwarfare issues lies within the political realm and is the unconditional responsibility of the state. This is possible within the framework of a future conflict resolution, although there are no ready-made templates for agreements prohibiting or limiting malicious actions in cyberspace. As the conflict continues, its cyberwar component will also continue, and it will be impossible to insulate ourselves from it solely through defense measures.

(This post is republished from Forbes.)