- The July Aeroflot outage was most likely an attack on the supply chain by developer Bakka Soft.
- Attackers took advantage of access gained months ago without 2FA to deploy extensive malware and disrupt flights.
- Damages reached tens of millions, although The Bell's report remains unverified and politically sensitive.
The cyber attack on Aeroflot, Russia's leading airline, is believed to have been a supply chain attack as new reports claim it was carried out through a third-party software developer who had access to the carrier's IT network.
At the end of July this year there was news about cyber incident at Aeroflot that disrupted the carrier’s operations and dozens of flights were cancelled. The Kremlin confirmed the attack, and two hacktivist groups, Silent Crow and Cyberpartisans, claimed responsibility. The first is a Ukrainian group, the second is Belarusian.
Now, journalists from local news outlet The Bell are claiming that the attack was carried out through Bakka Soft, a Moscow-based software development company that worked on Aeroflot's iOS apps and quality management systems. The publication refers to two people familiar with the investigation, as well as those close to the company.
Million losses
Presumably, “suspicious activity” in Aeroflot’s IT infrastructure took place in January, about six months before the attack, but the air carrier did not strengthen its security measures.
Six months later, attackers penetrated the same vulnerability and installed two dozen malware tools. While somewhat vague, the report claims that the company did not use two-factor authentication (2FA) and maintained access to Aeroflot's infrastructure, which allowed the attackers to establish persistence.
Bakka Soft never confirmed that its systems were hacked, and the hacktivists were reluctant to reveal how they hacked.
As a result of the incident, more than a hundred flights were canceled, tens of thousands of passengers were stranded, and losses from flight cancellations amounted to at least $3.3 million. The total damage from the attack was likely “tens of millions of dollars.”
The Bell's report cannot be independently verified at this time. It is worth noting that the publication was founded in 2017 by Russian journalists (according to The Record) and was recognized by the Russian government as a “foreign agent.”
In Russia, the “foreign agent” label means the government claims the organization receives money from abroad and is involved in “political activities.” In practice, this is a stigma: the group must label all publications with a warning, file additional reports, be subject to frequent audits, and risk hefty fines. It is mainly used to put pressure on non-governmental organizations, the media and activists whom the state considers undesirable.
By using Record
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
