[BreachExchange] Top US aerospace services provider suffers breach, loses 1.5 TB of data

Destry Winant destry at riskbasedsecurity.com
Tue Jun 9 09:37:28 EDT 2020


The hackers behind this breach are Maze ransomware operators who also
leaked some of the company’s data as proof of hack.

The Texas-based aerospace services provider VT San Antonio Aerospace
(VT SAA) has become a victim of a ransomware attack. The group behind
the breach is claiming it stole 1.5 terabytes of sensitive
organizational data from the company’s network.

It is worth noting that VT SAA is a subsidiary of Singapore-based
engineering, defense, and technology firm ST Engineering that
specializes in marine, land, and aerospace electronics. The Vice
president and general manager of the firm, Ed Onwe, stated that,

“A sophisticated group of cybercriminals, known as the Maze group,
gained unauthorized access to our network and deployed a ransomware

It is worth noting that just a couple of days ago the same group had
leaked sensitive data it stole from a US Nuclear contractor. As for
the latest breach; VT SAA’s systems were attacked for the first time
on March 7 and the second time in May.

The company discovered the data breach because of “renamed files and
associated ‘DECRYPT-FILES.txt’ located in the same folder as encrypted

For the next three days, the company remained busy inspecting the
scope of a security breach and recovering the lost data. The company
was able to contain the infection and identified that it mainly
targeted some of ST Engineering’s US commercial operations.

Although it is unclear exactly what data was stolen, the breach may
include exclusive contract details the company has signed with
different governments, organizations like NASA, and airlines including
American Airlines.

Moreover, the leaked data may also include sensitive data such as
project implementation plan details, timelines, schedules, type of
parts/equipment, and financial records. Hackread.com has seen the
sample data leaked by the group but did not access or analyze it.

Maze ransomware operators claim that before deploying the payload and
encrypting the company’s servers, they stole 1.5tb of unencrypted data
to pressurize VT SAA into paying the ransom.

When the attack was discovered, VT SAA immediately responded by taking
certain systems offline, initiating investigation with the help of
leading forensic advisors, and notifying law enforcement authorities.

Nevertheless, MAZE ransomware can be embedded into phishing emails and
as soon as it infects the machine it starts the file encryption
process, and attackers demand a ransom. In case their demands are not
met the group starts leaking data.

More information about the BreachExchange mailing list