Full Report
Airbus-owned Stelia North America has been hacked in an apparent ransomware attack. In a statement, Steila confirmed the attack, saying: “Upon detection, we immediately activated our cyber defence protocols and took proactive measures, including isolating affected systems, to mitigate the threat. We can confirm this incident is strictly contained to the Stelia North America IT environment and does not impact the broader Airbus Atlantic network. We are conducting a comprehensive forensic investigation alongside leading external cybersecurity experts. The safety and security of our people, our operations, our data, and our partners remain our absolute priority.
Analysis Summary
# Incident Report: Stelia North America Ransomware Attack
## Executive Summary
Stelia North America, an Airbus-owned aerospace manufacturer, was targeted in a significant ransomware attack claimed by the Rhysida threat group. The incident resulted in the alleged exfiltration of 10 TB of sensitive data, though the company successfully contained the breach to its specific IT environment, preventing spread to the broader Airbus Atlantic network.
## Incident Details
- **Discovery Date:** November 2024 (based on reporting date)
- **Incident Date:** November 2024
- **Affected Organization:** Stelia North America
- **Sector:** Aerospace / Aviation Manufacturing
- **Geography:** North America
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Unknown (Currently under forensic investigation)
- **Details:** Details regarding the point of entry have not been released to preserve the integrity of the ongoing investigation.
### Lateral Movement
- **Details:** The threat actors moved through the Stelia North America IT environment; however, proactive isolation measures successfully blocked lateral movement into the parent Airbus Atlantic network.
### Data Exfiltration/Impact
- **Details:** The Rhysida ransomware group claims to have exfiltrated 10 Terabytes (TB) of data. A ransom demand of 27 Bitcoin (approx. $2.07 million) was issued with a seven-day deadline.
### Detection & Response
- **Discovery:** Detected via internal cyber defense protocols.
- **Response actions taken:** Immediate activation of defense protocols, isolation of affected systems, and engagement of external cybersecurity experts for a forensic investigation.
## Attack Methodology
- **Initial Access:** Undisclosed.
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Undisclosed.
- **Discovery:** Undisclosed.
- **Lateral Movement:** Attempted; restricted to local subsidiary environment.
- **Collection:** Bulk data gathering (approx. 10 TB).
- **Exfiltration:** Standard Rhysida double-extortion techniques.
- **Impact:** Encryption of systems (apparent) and data theft extortion.
## Impact Assessment
- **Financial:** Ransom demand of 27 BTC (~$2.07M USD). Internal recovery and forensic costs are likely substantial.
- **Data Breach:** Compromise of 10 TB of data, potentially including intellectual property, employee records, or partner data.
- **Operational:** Disruption to Stelia North America IT systems due to proactive isolation and containment.
- **Reputational:** Public acknowledgment of breach; association with high-profile Airbus brand.
## Indicators of Compromise
- **Network indicators:** No specific IPs or Domains provided in public statement (investigation ongoing).
- **File indicators:** Rhysida ransomware typically utilizes `.rhysida` extensions and PDF ransom notes.
- **Behavioral indicators:** Large-scale outbound data transfers (10 TB) and system isolation events.
## Response Actions
- **Containment measures:** Isolation of the Stelia North America IT environment from the Airbus Atlantic network.
- **Eradication steps:** Forensic investigation led by external experts to identify and remove threat actor presence.
- **Recovery actions:** Coordination with relevant authorities and ongoing communication with employees and customers.
## Lessons Learned
- **Network Segmentation Success:** The effective isolation of the North American environment from the broader Airbus network demonstrates the value of robust network segmentation (tiering/zoning).
- **Extortion Trends:** The incident highlights the continued shift toward massive data exfiltration (10 TB) as the primary leverage for ransom, beyond mere encryption.
## Recommendations
- **Zero Trust Architecture:** Implement strict access controls between international subsidiaries and parent company networks.
- **Enhanced Egress Monitoring:** Deploy data loss prevention (DLP) and anomaly detection to identify the exfiltration of large volumes of data before completion.
- **Ransomware Readiness:** Conduct tabletop exercises specifically modeled on Rhysida's known TTPs (Tools, Techniques, and Procedures).