ST Engineering US subsidiary hit with criminal ransomware attack

VT San Antonio Airspace vice-president Ed Onwe said the company disconnected systems, informed law enforcement and retained forensic advisers. PHOTO: PEXELS

Singapore-based ST Engineering Aerospace's US subsidiary has suffered a massive ransomware attack, resulting in the exposure of confidential data such as contract details with various governments, government-related organisations and airlines.

Cyber-security firm Cyfirma said in a June report that hackers exfiltrated about 1.5 terabytes of data, which could have been stolen as early as in March.

Its initial investigation revealed that some 50 megabytes of leaked data went on the dark web and public forums as the US unit, VT San Antonio Aerospace, might not have paid the ransom, Cyfirma's founder and chief executive Kumar Ritesh told The Straits Times.

VT San Antonio Aerospace - which provides maintenance, repair and overhaul services to aircraft - acknowledged that the attack was carried out by a sophisticated group of cyber criminals, known as the Maze group.

In a statement on Friday (June 5), its vice president and general manager Mr Ed Onwe said: "Our ongoing investigation indicates that the threat has been contained, and we believe it to be isolated to a limited number of ST Engineering's US commercial operations."

He added: "Currently, our business continues to be operational."

Cyfirma, which is headquartered in Singapore and Tokyo, said the stolen data included client information and contract details such as that with American Airlines.

Other leaked sensitive data pertains to governments of countries like Peru and Argentina, and engagement details with agencies like the National Aeronautics and Space Administration.

VT San Antonio Aerospace has since disconnected certain systems from its network, informed relevant law enforcement authorities and engaged the services of third-party forensic investigators.

It is also conducting a rigorous review of the incident and its systems to ensure the necessary safeguards are in place.

Noting that denying ransom payment is the right thing to do, Cyfirma's Mr Ritesh said: "When you pay the ransom, (hackers) may take it as a sign of weakness and come back and attack you again."

It is more important to investigate the vectors through which the hackers came in from - whether it was a mobile device, laptop, e-mail or malicious website - and tighten control on such vectors, he added.

Join ST's Telegram channel and get the latest breaking news delivered to you.