Air Serbia Hit by Major Cyberattack: Internal Systems Disrupted, Active Directory Compromised
Air Serbia has fallen victim to a cyberattack that has significantly disrupted the company’s internal operations. The digital crisis began in the early days of July 2025 and persists to this day. One of the first tangible consequences was the inability to issue June payroll slips—although salaries were disbursed, the corresponding documents remained inaccessible due to a shutdown of automated systems.
According to internal notifications received by employees, the airline’s IT department began detecting signs of a targeted attack as early as July 4. In light of the ongoing threat, urgent adaptation of work plans was advised, invoking the business continuity framework. Particular emphasis was placed on digital hygiene: employees were warned against opening emails masquerading as official correspondence, especially those appearing to come from their own accounts.
On July 7, the company entered the active response phase. All passwords were reset, internal accounts were disabled, and data centers were moved into a demilitarized zone. This triggered password synchronization failures and disrupted numerous automated tasks. As a protective measure, the company severed internet access for all endpoint devices, allowing only select airserbia.com domain pages to be accessed.
New security and scanning software began to roll out across all workstations, followed later by a new VPN client. Two additional waves of password resets followed the initial reset—on July 9 and July 11. During the final reset, employees were instructed to leave their computers powered on and locked at the end of the day, enabling IT personnel to continue mitigation efforts in their absence.
Sources close to the matter claim that the attack compromised critical infrastructure, including Active Directory. While the precise nature of the intrusion remains undetermined, suspicions have arisen regarding the deployment of malware, possibly an infostealer—software designed to harvest sensitive information. Notably, no ransom has been demanded, suggesting either an espionage-driven motive or the preparatory phase of future attacks, potentially involving ransomware deployment.
What is particularly alarming is the absence of a complete forensic picture—due to missing security logs, the exact moment of the breach cannot be conclusively identified. Insider reports indicate that the attackers had been monitoring vulnerabilities in Air Serbia’s systems since early 2024, with rumors of potential infrastructure compromise already circulating on technical forums at that time.
Earlier in 2025, the airline had contended with DDoS attacks, but this incident is regarded as the most severe to date. Although the investigation is ongoing, some employees have voiced concern that company leadership may refrain from publicly acknowledging the breach, despite potential ramifications for personal data security.
The cyberattack casts a stark contrast to the company’s otherwise stellar performance: in 2024, Air Serbia transported a record 4.4 million passengers—a 6% increase over the previous, also record-setting, year.
Air Serbia and Serbian government authorities have yet to issue an official statement regarding the incident.
