Air Serbia has been grappling with a severe cyberattack that began around July 4, causing considerable operational turmoil for the government-owned airline. Initially, internal communications to staff indicated “temporary disruptions in business processes” due to the cyberattacks, urging managers to adapt work plans according to their Business Continuity Plan. This early warning signaled the start of what would become a complex and protracted security incident for the airline.
The airline’s IT department swiftly implemented a series of escalating security measures in response to the perceived threat. On July 7, a company-wide password reset was initiated, accompanied by the installation of security-scanning software on employee machines. Furthermore, all service accounts were terminated, affecting automated processes, and datacenters were moved to a demilitarized zone, creating issues with password synchronization. Internet access was also severely restricted, with only a few whitelisted pages under the airserbia.com domain remaining accessible, and a new VPN client was rolled out due to identified vulnerabilities.
Despite these efforts, the cyberattack continued to impact internal operations. By July 10, an internal memo informed staff that the distribution of June 2025 payslips would be postponed for security reasons, although salaries were paid. This highlighted the direct impact on employee services. Staff were also cautioned against opening suspicious emails, particularly those impersonating payslip-related communications, indicating a concern about phishing attempts or further compromise.
The severity of the attack became clearer as more drastic measures were taken. On July 12, a second wave of password resets was enforced, with sysadmins dictating the new passwords. This was followed by a third wave on July 11, where staff were asked to leave their PCs unlocked overnight for IT to continue remediation efforts. These repetitive and intrusive actions underscore the persistent nature of the threat and the challenge faced by Air Serbia’s security teams.
As of July 14, sources indicate that Air Serbia’s “blue team” was still struggling to fully remove the attackers’ access from the network. A significant concern is the suspected deep compromise of the airline’s Active Directory and a lack of security logs, making it difficult to ascertain when the attackers initially breached the system. There are also fears among some staff and insiders that the incident may have led to the compromise of personal data, and that the company might not publicly disclose the full extent of the intrusion.
Reference:
