TL;DR: Silent Crow’s claimed Aeroflot intrusion coincided with flight cancellations, loss of online services, and alleged theft of internal data after a year of reconnaissance and foothold time, according to Swarmnetics. The pattern shows how long-dwell intrusions can convert access into operational disruption, data exposure, and manual fallback under pressure.
NHIMG editorial — based on content published by Swarmnetics: First Drones, Then Cyber Attacks; Aeroflot Under Siege From Ukrainian Hackers
Questions worth separating out
Q: What breaks when attackers keep access for weeks or months before acting?
A: The main failure is not the initial compromise, it is the organisation’s inability to shorten the time between foothold and containment.
Q: Why do prolonged intrusions create larger outages than fast attacks?
A: Because attackers use time to turn limited access into broad reach.
Q: How do security teams know whether persistence controls are actually working?
A: Look for shrinking dwell time, faster invalidation of old sessions, and fewer accounts that remain active outside their intended task scope.
Practitioner guidance
- Map the standing foothold window Identify how long privileged or semi-privileged access can persist before review, revocation, or forced reauthentication.
- Separate recovery paths from active identity systems Test whether manual operations, backup restoration, and emergency administrative access can function if production identity services are compromised or unavailable.
- Reduce lateral reach across business and infrastructure layers Review whether user accounts, support roles, and administrator paths can reach both operational applications and sensitive data stores.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- The reported timeline of the Aeroflot disruption and the sequence of cancellations, delays, and service restoration.
- The article's discussion of Silent Crow's claimed year-long reconnaissance and foothold inside the environment.
- The specific allegations about server destruction, internal communications, and customer database theft.
- The broader wartime context that shapes why aviation and critical infrastructure are being targeted.
👉 Read Swarmnetics' analysis of the Aeroflot cyberattack and claimed disruptions →
Aeroflot outage after long-dwell intrusion: what should defenders watch?
Explore further
Long-dwell intrusion is a governance failure, not just a detection failure. When an attacker can remain in an environment for months, the issue is usually that the organisation lacks effective lifecycle controls for privileged access, not that one alert was missed. Detection matters, but durable footholds expose gaps in review cadence, revocation speed, and internal segmentation. The practitioner conclusion is that persistence windows must be treated as a control failure in their own right.
A question worth separating out:
Q: Who is accountable when an intrusion becomes a service outage and data theft event?
A: Accountability usually spans security, identity governance, infrastructure operations, and business continuity leadership, because the failure crosses detection, privilege control, and recovery. Frameworks such as NIST CSF and NIST SP 800-53 place responsibility on access control, monitoring, and recovery planning, which means the incident cannot be treated as a security team problem alone.
👉 Read our full editorial: Aeroflot cyberattack shows how long-dwell intrusions turn into outage risk