Cyber Incident Victim: VT San Antonio Aerospace
Date:
Apr 2020
Location:
United States of America
Summary
A U.S. aerospace maintenance provider, a subsidiary of ST Engineering, suffered a ransomware attack by the Maze group involving system encryption and theft of 1.5 TB of unencrypted files including financial data, insurance contracts, and sensitive corporate information. Attackers initially accessed the network via compromised administrator credentials, compromising domain controllers and servers before leaking partial data as leverage. The company contained the incident, disconnected affected systems, and restored operations within days while engaging forensic experts and law enforcement. The breach impacted limited U.S. commercial operations, prompting ongoing investigations and security enhancements to protect entrusted data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early April 2020, the Maze ransomware gang breached VT San Antonio Aerospace (VT SAA), a North American aircraft maintenance, repair, and overhaul subsidiary of Singapore-based ST Engineering. Attackers first gained access through a compromised Administrator account via remote desktop connection, then escalated privileges to compromise the default Domain Administrator account. This allowed them to encrypt servers across two domains, including domain controllers, intranet servers, and file servers. Prior to deploying ransomware, Maze exfiltrated approximately 1.5 terabytes of unencrypted files containing financial spreadsheets, cyber insurance contracts with Chubb, business proposals, and expired non-disclosure agreements. The group leaked over 100 documents from this cache on their data extortion site as proof of compromise, claiming the data included details about IT security systems and ST Engineering's financial support for political groups in Latin America and CIS countries, though no evidence was provided for these specific assertions.
VT SAA detected the intrusion and responded by disconnecting affected systems from the network, engaging third-party forensic investigators, and notifying law enforcement. The company fully restored encrypted systems within three days of the March 7, 2020 ransomware deployment, maintaining business operations throughout the incident. Executive statements confirmed the attack impacted only a limited segment of ST Engineering's U.S. commercial operations. Forensic review led to deployment of advanced remediation tools and enhancements to the corporate cybersecurity architecture. Due to the sensitive nature of stolen data—including employee and client information—the incident triggered mandatory breach disclosure obligations. Maze's prior compromise of VT SAA's insurer Chubb in March 2020, facilitated by unpatched Citrix ADC servers vulnerable to CVE-2019-19871, added contextual risk but did not directly enable this attack. The company completed system recovery before Maze published additional data leaks.