Rosaviatsia switches to pigeon mail

The company suffered from a hacker attack.
According to unofficial data, on March 26, Rosaviatsiya was subjected to a hacker attack, as a result of which data could be lost. The department was even forced to switch to paper mail. According to experts, the attack could have taken place according to the “man in the middle” scheme, in which the attackers hack into one of the partners and communicate with the victim on his behalf. In recent years, Rosaviatsia's contractor for the operation of IT infrastructure has been InfAvia LLC.

The fact that on March 26 a powerful hacker attack was carried out on the IT infrastructure of the Federal Air Transport Agency was reported by the Aviatorshchina Telegram channel, citing a source in the department. As a result, according to him, approximately 65 TB of data was destroyed: all document flow, files on servers were erased, the Gosuslug system was deleted, and all incoming and outgoing letters were lost for a year and a half. A search is underway for the register of aircraft and aviation personnel.

According to the source, the Prosecutor General's Office and the FSB are investigating the incident.

The Telegram channel also published a screenshot of a message from the head of the Federal Air Transport Agency, Alexander Neradko, that due to the lack of access to the Internet and a failure in the electronic document management system, the agency is switching to paper document management, courier mail and Russian Post.

The Federal Air Transport Agency did not respond to Kommersant's request, but two sources close to the service confirmed the existence of a problem and the fact of a hacker attack. They specified that specialists are now working on restoring access to the servers. “Presumably, they managed to return access to e-mail, in the near future they expect to fully restore access to data storages,” our source said.

The Federal Air Transport Agency does not have backup copies, that is, backups, “since the Ministry of Finance did not allocate money for this,” the source of the Telegram channel claims. According to him, the attack occurred due to poor performance of contractual obligations by InfAvia LLC, which operates the IT infrastructure of the Federal Air Transport Agency.

According to SPARK-Interfax, the Federal Air Transport Agency is the main customer of InfAvia LLC: since 2017, the agency has concluded more than 40 contracts with the company for 62.6 billion rubles, which is more than 90% of the company's total number of contracts. InfAvia did not respond to Kommersant's request.

The situation is similar to a MiM (man in the middle) class attack, or “man in the middle”, in which attackers hack into the corporate mail of one of the company's partners and continue to work with him on his behalf, issue invoices.

“The victim continues to communicate with the attackers as with a trusted supplier, including paying bills and transferring funds,” explained Alexander Dvoryansky, director of special projects at Angara Security. In a similar way, for example, attacks on the fuel and energy complex and the aviation industry were carried out, about which Kommersant wrote on September 30, 2021.

According to Mr. Dvoryansky, organizations at the level of Rosaviatsia, as a rule, create backup copies of significant resources every few hours automatically, thanks to which the system can be restored in a short time. For passengers, the failure is unlikely to be noticeable, and for airlines it will become “a signal for extraordinary testing of their information systems and communication channels for fault tolerance and security against hacker attacks,” Mr. Dvoryansky believes.

Rosaviatsiya is an object of critical information infrastructure, which is obliged to follow the regulations and create backups. “Any sane IT specialist understands this, and working differently means sitting on a powder keg,” says Luka Safonov, CEO of Cyberpolygon. If the fact of a hacker attack is confirmed, then it can be confidently considered one of the largest targeted attacks in recent times, he notes.

Such an attack could only have been carried out by a high-level professional, Mr. Safonov believes. According to him, hackers on foreign shady forums have joined forces. “If earlier they were looking for vulnerabilities separately, now they throw off all the information in the forum threads and use the expertise of all participants to strengthen the attack,” the expert believes. He emphasizes that "the internet does not remember such unprecedented actions."