3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Silent Crow

Silent Crow

ID: 5968220f513ceae1f0891cc8d9e7eade84195
Hacktivist Group Collective Data Leak Channel Defacement Crew Hacktivism
Threat types: Defacement, Data Leak, Intrusion
Belarus RUS
Updated: 2026-01-19
Created: 2025-10-14
Progress: 63% Completeness: 68% Freshness: 50%
Operation zone: Russia
Aliases Limited alias preview
SilentCrow
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Silent Crow — pro-Ukrainian hacktivist label publicly credited (with Belarusian Cyber Partisans) for the Aeroflot disruption on 28–29 July 2025; reporting cites months-to-year-long prepositioning, flight cancellations, and claims of extensive data theft and server destruction. Earlier 2025 items link Silent Crow to alleged breaches of Russian state/critical entities (e.g., Rosreestr, Rostelecom). Identity and structure remain opaque in open sources.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-07-28 — Aeroflot operations disrupted; dozens to 100+ flights canceled; Russian officials acknowledge incident and launch investigation. · ref
  • 2025-07-29 — Follow-on disruption and cancellations; airline says schedule stabilizing while cancellations continue. · ref
  • 2025-07-28 — Independent coverage describes widespread cancellations at Sheremetyevo and beyond; joint claim by Silent Crow + Cyber Partisans. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-07-28 — Joint claim that attackers accessed Aeroflot systems for ~1 year and stole passenger/employee data (scale later reported as multi-TB by media). · ref
  • 2025-08-01 — Coverage of purported Aeroflot data leak activity after the incident. · ref
T1485 Data Destruction TA0040
  • 2025-07-28 — Claim of destroying ~7,000 servers inside Aeroflot (reported by multiple outlets quoting the groups’ statements). · ref
  • 2025-07-29 — Additional reports echo server-destruction claims and extensive system damage. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-07-28 — Media cite months to a year of pre-positioned access in Aeroflot’s network (suggests valid accounts/persistence rather than smash-and-grab). · ref
  • 2025-07-30 — Post-incident analysis mentions prior operations and unknown identity; long-dwell narrative persists. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-01-09 — Claimed breach of Rosreestr and Rostelecom earlier in 2025; vector not specified (public-facing service exploitation plausible). INFERENCE. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-16T19:28:36+00:00
Silent Crow — Pro-Ukrainian Hacktivist Label

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Silent Crow is a pro-Ukrainian hacktivist label publicly credited—jointly with the Belarusian Cyber Partisans (BCP)—for the Aeroflot cyber disruption on 28–29 July 2025. Independent coverage and official Russian acknowledgments describe dozens to 100+ flight cancellations, large-scale IT outages, and a criminal investigation. The groups’ statements claimed months-to-a-year of prepositioned access, exfiltration of sensitive data, and destruction of ~7,000 servers; several outlets repeated these points while noting the difficulty of immediate verification. Earlier reporting in January 2025 linked Silent Crow to alleged intrusions at Rosreestr and Rostelecom. The identity and internal structure of Silent Crow remain opaque, and some analysis suggests the name could be a pseudonym/banner rather than a stable organization. Overall, the public record supports credible disruptive impact at Aeroflot, with additional, partly unverified claims about depth of access and destruction. Confidence: medium-high for involvement in Aeroflot disruption; medium/low-to-medium for the broader capability set beyond the airline operation.

  • 2025-01-09. Reporting links Silent Crow to a breach of Rosreestr; mentions prior claim involving Rostelecom (identity remains unclear; possible pseudonym theory). — The Record from Recorded Future
  • 2025-07-28. Aeroflot disruption: Silent Crow + BCP claim responsibility; widespread cancellations reported; Russian authorities acknowledge a cyberattack and open a case. — Reuters
  • 2025-07-29. Stabilization phase: Aeroflot reports operations largely returning to normal while dozens of flights remain canceled. — Reuters
  • 2025-07-30. Aftermath analysis notes prior Silent Crow claims (Rosreestr/Rostelecom) and the group’s unknown identity. — Meduza
  • 2025-08-01. Follow-on stories track purported data leak activity attributed to the attackers. — The Record from Recorded Future
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/sil************** Restricted Not integrated
t.me/+F7************** Restricted Not integrated
Address Verification SOCMINT
dumpforrw2i4v2fiqoifakepyfm3qmsl7qwufk4lltgu4e4swij4xsad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Message regarding the access to the central database of citizens of Moscow. Free Preview
Message regarding the access to the central database of citizens of Moscow.
MEGA link with website source code + database as proof of CERT.by Free Preview
MEGA link with website source code + database as proof of CERT.by