Turbulence at Air Serbia, the latest airline under cyber siege – Source: go.theregister.com

Exclusive Aviation insiders say Serbia’s national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling.

Internal memos, seen by The Register, dated July 10 told staff: “Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips.

“The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses.”

Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable.

HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members’ first and last names “as if you sent them to yourself.”

“We also kindly ask that you act responsibly given the current situation.”

According to other internal comms seen by The Register, Air Serbia’s IT team began emailing staff warning them that it was facing a cyberattack on July 4.

“Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes,” they read.

“We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible.”

The same email communication chain mentioned the company’s IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7.

All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords.

Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available.

IT also installed a new VPN client “due to identified security vulnerabilities.”

“We kindly ask you to take this situation seriously and fully cooperate with the IT team,” the memo reads. “Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide.”

Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins.

On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them.

A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory.

As of July 14, the source claimed the airline’s blue team has not fully eradicated the attackers’ access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July.

The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.

• Someone hijacked Elmo’s X account to post antisemitic rants
• UK’s NCA disputes claim it’s nearly three times less efficient than the FBI
• You have a fake North Korean IT worker problem – here’s how to stop it
• French cops cuff Russian pro basketball player on ransomware charges

The source claimed that attackers had been periodically monitoring Air Serbia’s exposed endpoints since the beginning of 2024, at which point murmurs of a breach started to echo around tech forums.

Seemingly separate from the other incidents, Air Serbia batted away a few waves of DDoS attacks earlier this year – it is not uncommon for attackers to probe its systems occasionally. The most recent incident affected the airline’s infrastructure more deeply, our insider claimed.

While the full scale and nature of the attack is yet to be confirmed, the source said they believe malware was involved in the attack and it could be an infostealer.

No ransom payment or extortion demands were made as of Monday, although infostealer infections are increasingly being associated with follow-on ransomware attacks.

The Register contacted Air Serbia and the Serbian government for more information but neither had responded by the time of publication.

The airline registered its most successful year in history last year, announcing in January that it carried a total of 4.4 million passengers – a 6 percent increase compared to 2023, the previous record-setting year.

This is just the latest in a series of recent cyberattacks on aviation. Although none of them have been formally linked other than by sector, experts said last month that Scattered Spider could be behind that raids. ®