At a glance.
- Russian airline disrupted by alleged hacktivist attack.
- Scattered Spider targets VMware ESXi hypervisors via social engineering.
- US National Reconnaissance Office confirms breach of unclassified data.
Russian airline disrupted by alleged hacktivist attack.
Aeroflot, Russia's largest airline, cancelled dozens of flights this morning following IT issues that were reportedly caused by a hacktivist attack. Reuters says the Silent Crow and Cyberpartisans BY hacktivist groups claimed responsibility for the attack, stating on Telegram that they compromised the airline's systems over a year ago and destroyed thousands of servers. It's worth noting that these claims are unverified, and hacktivists tend to exaggerate. These two groups claim to act in the interests of Ukraine and Belarus, respectively.
Aeroflot said in a statement, "There was a failure in the airline's information systems. Service interruptions are possible. In this regard, a forced adjustment to the flight schedule is expected, including by postponing and canceling."
Scattered Spider targets VMware ESXi hypervisors via social engineering.
The Scattered Spider criminal gang is using "aggressive" social engineering attacks to target IT help desks in order to compromise organizations' VMware ESXi hypervisors, according to researchers at Google's Threat Intelligence Group. The attackers request password resets for Active Directory accounts, then use this access to work their way into the victim's VMware vCenter Server Appliance (vCSA).
The researchers explain, "After using social engineering to compromise one or more user accounts, they manipulate trusted administrative systems and use their control of Active Directory as a launchpad to pivot to the VMware vSphere environment, thus providing an avenue to exfiltrate data and deploy ransomware directly from the hypervisor. This method is highly effective as it generates few traditional indicators of compromise (IoCs) and bypasses security tools like endpoint detection and response (EDR), which often have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance."
Google adds that Scattered Spider "operates with extreme velocity," moving from initial access to data exfiltration and ransomware deployment within hours. The threat actor has recently been targeting entities in the retail, airline, and insurance industries.
US National Reconnaissance Office confirms breach of unclassified data.
The US National Reconnaissance Office (NRO), which operates the US government's spy satellites, has disclosed a breach of its acquisition portal, the Washington Times reports. The portal is unclassified, but is used by the CIA and other agencies to submit information about sensitive contracts. The Times cites a source familiar with the matter as saying the hackers accessed data related to the CIA's Digital Hammer program, which focuses on surveillance and counterintelligence related to Chinese threat activity.
The NRO told the Register in a statement, "We can confirm that an incident involving our unclassified Acquisition Research Center (ARC) website is currently being investigated in collaboration with federal law enforcement. We do not comment on ongoing investigations." It's unclear if the breach was caused by the recently disclosed Microsoft SharePoint vulnerability (CVE-2025-53770), which was used by Chinese threat actors to compromise multiple US government entities.
