Cyber Incident Victim: Discovery Air Defence Services
Date:
May 2022
Location:
Canada
Summary
A Canadian defense contractor providing adversary air training to multiple nations' armed forces experienced a ransomware attack by the LockBit group, which claimed theft of 44GB of data and threatened its release. The company, which holds contracts including with the U.S. Air Force for counter-Russian training, faced potential risks of sensitive information exposure, with analysts highlighting broader security vulnerabilities in the defense supply chain due to similar past incidents targeting military contractors. LockBit, among the most active ransomware groups, has intensified attacks globally, leveraging its Ransomware-as-a-Service platform to compromise hundreds of organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 11, 2022, Canadian defense contractor Top Aces (Discovery Air Defence Services) confirmed it was investigating a ransomware attack after appearing on the leak site of the LockBit ransomware group. The Montreal-based company, founded in 2000 by former fighter pilots, provides adversary air training services to the Canadian and German armed forces under exclusive contracts and maintains the largest privately-held fleet of operational fighter aircraft globally. LockBit claimed responsibility for the attack and threatened to leak 44GB of stolen company data by May 15 if ransom demands were not met. Top Aces' operations extend beyond Canada and Germany to include Israel and the United States, where it secured a significant U.S. Air Force contract in 2019 focused on training against Russian weaponry. The incident occurred amid LockBit's heightened global activity, with the group compromising over 650 organizations in 2022 alone, including high-profile attacks on German library systems and Brazilian financial authorities.
Security analysts highlighted concerns about data exposure risks given Top Aces' position in the defense supply chain. Brett Callow of Emsisoft noted stolen defense sector data could potentially reach hostile governments even if initial attackers were profit-driven cybercriminals. The incident followed a pattern of attacks against defense industrial base entities, including 2020 ransomware incidents targeting Visser Precision (a Lockheed Martin supplier) and Westech International (a U.S. nuclear deterrent contractor). LockBit, operational since 2019, escalated its attacks after releasing its LockBit 2.0 ransomware-as-a-service platform, prompting warnings from agencies like Australia’s ACSC about increased activity in mid-2021. Top Aces did not disclose specific operational impacts, detection methods, or containment measures beyond confirming an ongoing investigation at the time of reporting. The company’s statement provided no details regarding affected systems or data types beyond LockBit’s claimed 44GB exfiltration.