{ "id": "3d092b6b-c900-4efc-a2a8-85b6cbbfc463", "created_at": "2026-04-06T00:19:23.468274Z", "updated_at": "2026-04-10T03:33:45.614649Z", "deleted_at": null, "sha1_hash": "4fd3db0442ae7fd5633ebdd008040734e6d8e068", "title": "New threat group behind Airbus cyber attacks, claim researchers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 759921, "plain_text": "New threat group behind Airbus cyber attacks, claim researchers\r\nBy Alex Scroxton\r\nPublished: 2019-10-03 · Archived: 2026-04-02 12:05:00 UTC\r\nbeebright - stock.adobe.com\r\nbeebright - stock.adobe.com\r\nContext Information Security’s threat intel and response teams says it has\r\nevidence that the recent supply chain attacks on Airbus are the work of a newly\r\nidentified group called Avivore\r\nA number of high-profile cyber attacks on Airbus in the past 12 months, which exploited virtual private networks\r\n(VPNs) used by some of its supply chain partners to access the aerospace firm’s systems, is likely to have been the\r\nwork of a previously unidentified threat group, according to Context Information Security’s researchers.\r\nDubbed Avivore, the group’s existence came to light during Context’s investigation of a number of attacks against\r\nmultinational enterprises that compromise smaller engineering services and consultancies working in their supply\r\nchains.\r\nIn such supply chain attacks – also known as Island Hopping – the adversary uses legitimate connectivity or\r\ncollaboration tools to bypass the target’s perimeters. These attacks will often see criminals using chains of activity\r\nor connections spanning multiple business and geographical locations in the victim environment.\r\nThe Avivore group, which has not been identified or tracked before, seems to have targeted assets related to a\r\nnumber of verticals besides aerospace and defence, including automotive, energy, and space and satellite\r\ntechnology.\r\n“Previous reporting into recent incidents affecting aerospace and defence have linked this activity to APT10 and\r\nJSSD (Jiangsu Province Ministry of State Security). Though the nature of the activity makes attribution\r\nhttps://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nPage 1 of 5\n\nchallenging, our experience of the campaign suggests a new group that we have codenamed Avivore,” said Oliver\r\nFay, principal threat intelligence analyst at Context.\r\nThe group appears to operate in the UTC +8 timezone and exploits the PlugX remote access Trojan, which has\r\nbeen used extensively by APT10.\r\nHowever, its tactics, techniques and procedures (TTPs), infrastructure and other tooling is significantly different to\r\nknown Chinese-state actors. It is this that has led Context to the conclusion that Avivore is a previously untracked\r\nnation state-level adversary.\r\nAccording to Context, the group is a “highly capable” actor, skilled at living-off-the-land and obfuscating its\r\nactivity in the day-to-day business activities of its victims’ employees. It also appears to have a high degree of\r\noperational security awareness – for example, it clears forensic artefacts as it progresses to make detection harder.\r\n“The capability of the threat actor makes detecting these incidents challenging, however the complex nature of the\r\nsupplier relationship makes investigation, co-operation and remediation a significant issue,” said James Allman-Talbot, head of cyber incident response at Context.\r\n“When the organisation that has enabled the intrusion forms a critical part of your value chain, the operational\r\nbusiness risk increases dramatically and difficult decisions need to be made in a short space of time.”\r\nContext set out a number of recommendations for enterprises to consider adopting whether they are likely to be a\r\ntarget of a supply chain attack or not.\r\nThese include imposing access limitations on supplier and partner connections using VPNs, such as preventing\r\nuse outside business hours, agreeing specific locations and IP addresses for access, and imposing restrictions on\r\naccess to data and other assets.\r\nOther useful steps could include introducing multifactor authentication and enhancing auditing and logging at\r\nhosts and services into which suppliers connect.\r\nSteps should also be taken to ensure that remote access services implement appropriate log retention; to ensure\r\nthat credentials for remote services are stored securely and their use monitored; and where possible, to make\r\napplications, documents and technical information relating to enterprise networks and remote access services\r\navailable only to engineers and IT support staff.\r\nRead more on Hackers and cybercrime prevention\r\nhttps://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nPage 2 of 5\n\nCyber attack that downed airport systems confirmed as ransomware\r\nBy: Alex Scroxton\r\nTCS to inject AI and quantum computing into aerospace through French delivery centre\r\nhttps://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nPage 3 of 5\n\nBy: Karl Flinders\r\nGenAI provides future for connected engineering\r\nBy: Joe O’Halloran\r\nDassault Systèmes, Cranfield collaborate on 3DExperience centre of excellence\r\nhttps://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nPage 4 of 5\n\nBy: Joe O’Halloran\r\nSource: https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nhttps://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers\r\nPage 5 of 5\n\n https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers \nBy: Karl Flinders \nGenAI provides future for connected engineering \nBy: Joe O’Halloran \nDassault Systèmes, Cranfield collaborate on 3DExperience centre of excellence\n Page 4 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" ], "report_names": [ "New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "680d62c6-23e2-411b-86e9-af6dc6a64d53", "created_at": "2023-01-06T13:46:39.329055Z", "updated_at": "2026-04-10T02:00:03.289076Z", "deleted_at": null, "main_name": "Avivore", "aliases": [], "source_name": "MISPGALAXY:Avivore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "3b978023-9d82-46fb-b836-a0d011504d2c", "created_at": "2022-10-25T16:07:23.368134Z", "updated_at": "2026-04-10T02:00:04.568035Z", "deleted_at": null, "main_name": "AVIVORE", "aliases": [], "source_name": "ETDA:AVIVORE", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434763, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fd3db0442ae7fd5633ebdd008040734e6d8e068.pdf", "text": "https://archive.orkl.eu/4fd3db0442ae7fd5633ebdd008040734e6d8e068.txt", "img": "https://archive.orkl.eu/4fd3db0442ae7fd5633ebdd008040734e6d8e068.jpg" } }