{
	"id": "014c75a7-0397-46b8-a722-f3cdca20a203",
	"created_at": "2026-04-06T00:08:15.454345Z",
	"updated_at": "2026-04-10T03:20:05.90531Z",
	"deleted_at": null,
	"sha1_hash": "68d617fec92b6db97104bdb9603b6d2664dae37d",
	"title": "US aerospace services provider breached by Maze Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1072801,
	"plain_text": "US aerospace services provider breached by Maze Ransomware\r\nBy Sergiu Gatlan\r\nPublished: 2020-06-05 · Archived: 2026-04-05 21:27:33 UTC\r\nThe Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as\r\nstole and leaked unencrypted files from the company's compromised devices in April 2020.\r\nVT San Antonio Aerospace (VT SAA) is a leading North American aircraft MRO (maintenance, repair, and overhaul)\r\nservice provider specialized in airframe maintenance repair and overhaul, line maintenance, aircraft modifications, and\r\naircraft engineering services.\r\nVT SAA is a subsidiary of ST Engineering (part of ST Aerospace, its aerospace arm), one of the largest firms listed on the\r\nSingapore Exchange and an engineering group with customers in the defense, government, and commercial segments in\r\nover 100 countries, and roughly 23,000 people across Asia, Europe, Middle East, and the United States.\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nST Aerospace provides repair and overhaul services for more than 25,000 mechanical and avionics component types fitted\r\non various Airbus and Boeing aircraft and helicopters.  \r\nMaze encrypted VT SAA's network\r\nThe Maze Ransomware operators state in a new post on their data leak site that they breached the network of ST\r\nEngineering—actually that of VT SAA, one of the group's North American subsidiaries—stealing data and encrypting\r\nservers.\r\nDuring the attack, before deploying the ransomware payload to encrypt the company's servers, Maze claims to have stolen\r\n1.5 TB worth of unencrypted files to be used as leverage to pressure the ST Engineering subsidiary into paying their ransom.\r\nST Engineering entry on Maze leak site\r\nAs 'proof' that they breached VT SAA's network, Maze has already leaked over 100 documents that consist of financial\r\nspreadsheets, cyber insurance contracts, proposals, and expired NDAs.\r\nWe were told that these files allegedly include financial information, \"IT security systems\" information, and how ST\r\nEngineering financially supports political groups in countries in Latin America and CIS. Maze did not provide any proof of\r\nthese claims.\r\nStealing files from their victims' network before deploying the ransomware payload is a common procedure for the Maze\r\nRansomware operators.\r\nOther ransomware operators including but not limited to REvil, DoppelPaymer, Nemty, Netwalker, and CLOP have also\r\nadopted this extortion tactic.\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 3 of 6\n\nLeaked files\r\nBleepingComputer has also been told that VT SAA's cyber insurance contracts are with Chubb, who was also attacked by\r\nthe Maze Ransomware operators and had its network encrypted in March 2020.\r\nBad Packets said at the time that Chubb had numerous Citrix ADC (Netscaler) servers unpatched against the CVE-2019-\r\n19871 vulnerability despite the insurance carrier's statement that its network was not compromised (this security flaw was\r\nexploited in the past as part of other ransomware attacks).\r\nDetails of Maze's attack\r\nWhile Maze has not described details of their attack, they leaked the IT Manager's memorandum of the cyberattack memo\r\nwhich shows exactly how the attack occurred.\r\nMaze first connected to one of VT SAA's servers via a remote desktop connection using a compromised Administrator\r\naccount, then compromised the default Domain Administrator account and hit the company's domain controllers, intranet\r\nservers, and file servers on two domains.\r\nThe memo also says that all the encrypted systems were fully recovered within three days after VT SAA's systems were\r\nencrypted by Maze Ransomware on March 7, 2020.\r\nBecause of the number of files and the sensitive nature of the stolen data Maze has already posted on their leak site, ST\r\nEngineering Aerospace subsidiary will have to also disclose this incident as a data breach to all affected parties, including\r\nemployees and clients.\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 4 of 6\n\nAffected systems and data\r\nST Engineering North America only partially affected by the attack\r\nIn a statement to BleepingComputer, VT San Antonio Aerospace Vice President and General Manager Ed Onwe said that the\r\nattack only affected a limited number of ST Engineering’s U.S. commercial operations.\r\n\"VT San Antonio Aerospace discovered that a sophisticated group of cyber criminals, known as the Maze group, gained\r\nunauthorized access to our network and deployed a ransomware attack. At this point, our ongoing investigation indicates\r\nthat the threat has been contained and we believe it to be isolated to a limited number of ST Engineering’s U.S. commercial\r\noperations. Currently, our business continues to be operational,\" Onwe told BleepingComputer.\r\n\"Upon discovering the incident, the Company took immediate action, including disconnecting certain systems from the\r\nnetwork, retaining leading third-party forensic advisors to help investigate and notifying appropriate law enforcement\r\nauthorities.\r\n\"As part of this process, we are conducting a rigorous review of the incident and our systems to ensure that the data we are\r\nentrusted with remains safe and secure. This includes deploying advanced tools to remediate the intrusion and to restore\r\nsystems. We are also taking steps to further strengthen the Company’s overall cybersecurity architecture.\"\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/"
	],
	"report_names": [
		"us-aerospace-services-provider-breached-by-maze-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434095,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68d617fec92b6db97104bdb9603b6d2664dae37d.pdf",
		"text": "https://archive.orkl.eu/68d617fec92b6db97104bdb9603b6d2664dae37d.txt",
		"img": "https://archive.orkl.eu/68d617fec92b6db97104bdb9603b6d2664dae37d.jpg"
	}
}