Russia’s flagship airline hacked through little-known tech vendor, according to new report

A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation.

The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began.

The breach, which was claimed by the pro-Ukrainian hacker collective Silent Crow and the allied Belarusian Cyber-Partisans, paralyzed Aeroflot’s operations, grounding more than a hundred flights and stranding tens of thousands of passengers. Losses from flight cancellations alone were estimated at no less than $3.3 million, with total damages running into the tens of millions of dollars.

At the center of the breach, according to The Bell, was Bakka Soft, a small and largely obscure mobile-app development firm headquartered in Moscow. The company, which has worked on Aeroflot’s iOS apps and quality-management systems, also counts several high-profile Russian enterprises among its clients, including government agencies, nickel and palladium producer Norilsk Nickel, steelmaker EVRAZ and major retailer X5.

Recorded Future News can not independently verify the report from The Bell, which was founded in 2017 by Russian journalists.

Two people familiar with the forensic findings told The Bell that suspicious activity was first detected in January — six months before the July attack. Despite that discovery, Aeroflot did not significantly tighten contractor-related security, the sources said. Hackers allegedly re-entered through the same contractor in May and by midsummer had established persistent access inside the airline.

Once inside, the attackers allegedly moved into the company’s Active Directory environment, obtained high-privilege accounts, and deployed roughly two dozen malware tools.

A technical report prepared by incident-response teams from several Aeroflot contractors concluded that the hackers gained entry because the company lacked two-factor authentication on some terminal servers and because Bakka Soft maintained remote access into Aeroflot’s infrastructure, The Bell reported.

Bakka Soft never publicly acknowledged any breach of its systems. The Belarusian Cyber-Partisans refused to disclose details of their operation to The Bell. Inside Aeroflot, employees received no additional information about the attack beyond vague media reports, according to the outlet’s sources.

Both Ukrainian and Russian groups have previously exploited vulnerabilities in smaller IT providers to reach major government and corporate networks. In Ukraine, for instance, an attack on the Ministry of Justice’s registries earlier this year began with a breach of the state enterprise NAIS, which maintained the ministry’s systems. A major 2022 compromise of dozens of Ukrainian government websites stemmed from a single private IT company responsible for building them.

Russia’s state telecom giant Rostelecom faced a similar issue in January, when Silent Crow breached one of its contractors and leaked data from its websites. In early December, a senior Rostelecom executive said the company had since tightened security requirements for partners and vendors.