- Aeroflot’s outage in July was likely an attack on developer Bakka Soft’s supply chain
- Attackers exploited months of access without 2FA to distribute numerous malware and disrupt flights
- Damages amount to tens of millions, although The Bell’s report remains unconfirmed and politically sensitive.
The cyber attack on Aeroflot, Russia’s national airline, is believed to be a supply chain attack as new reports claim it was carried out by a third-party software developer with access to the airline’s computer network.
At the end of July this year, news of a cyber incident at Aeroflot disrupted the airline’s operations and dozens of flights were canceled. The Kremlin confirmed the attack, while two hacktivist groups, Silent Crow and Cyber Partisans, claimed responsibility. The first is a Ukrainian group, the second is Belarusian.
Today, journalists from a local media outlet called The Bell say the attack was carried out by Bakka Soft, a Moscow-based software development company that worked on Aeroflot’s iOS apps and quality management system. The publication mentions two people familiar with the research and people close to the company.
Millions in damage
“Suspicious activity” reportedly occurred on Aeroflot’s IT infrastructure in January, about six months before the attack, but the airline did not strengthen its security measures.
Six months later, attackers exploited the same vulnerability and installed 20 malicious tools. Although rather vague, the report says the company lacked two-factor authentication (2FA) and still had access to Aeroflot’s infrastructure, allowing attackers to build persistence.
Bakka Soft has never confirmed that its systems were hacked and the hacktivists have not revealed how they managed to breach them.
The accident caused the cancellation of more than a hundred flights, the stranding of tens of thousands of passengers, and losses due to canceled flights of at least $3.3 million. The total damage from the attack is expected to amount to “tens of millions of dollars”.
Bell’s report cannot be independently verified at this time. It’s worth noting that the publication was founded in 2017 by Russian journalists (according to The Record) and was labeled a “foreign agent” by the Russian government.
In Russia, the term “foreign agent” means the government’s claim that an organization receives money from abroad and engages in “political activities.” In practice, it’s a stigma: the group must include a warning on all its services, submit additional reports, undergo frequent inspections and risk heavy fines. It is mainly used to put pressure on NGOs, media companies and activists that the state considers undesirable.
IN the file