Extant Aerospace: Ransomware Attack Exposes Employee SSNs at DoD Supplier

Florida-based Extant Aerospace, a Department of Defense supplier of electronic warfare and communications systems, has disclosed a ransomware attack that struck its network on or around August 23, 2025. The company, a subsidiary of Symetrics Industries, LLC, is now notifying current and former employees that attackers exfiltrated names, addresses, dates of birth, and Social Security numbers during the intrusion.

What Happened

Extant Aerospace detected ransomware activity affecting a portion of its network environment on or around August 23, 2025. The Melbourne, Florida-based manufacturer says it took immediate containment steps and notified federal law enforcement upon discovery of the intrusion.

A subsequent forensic investigation confirmed that an unauthorized actor had accessed certain systems and stolen personal information belonging to some current and former employees, along with other individuals connected to the company. Extant completed its data-mining analysis on April 13, 2026, at which point it identified the specific records caught up in the breach. Law enforcement did not request that notification be delayed.

The company has not publicly identified the threat actor responsible, nor has it disclosed whether a ransom demand was made or paid. As of the disclosure, Extant says it is not aware of any confirmed misuse of the stolen information.

What Was Taken

The stolen personal information set is high-value and well suited for identity fraud and follow-on social engineering. According to Extant's notification, the exposed data fields include:

• Full name
• Home address
• Date of birth
• Social Security number

The combination of name, address, date of birth, and SSN constitutes a complete identity package on the open market. Affected individuals span both current and former employees, suggesting the attackers reached HR or payroll repositories that retain historical workforce records. The total number of victims has not been publicly disclosed.

Why It Matters

Extant Aerospace is not a typical commercial victim. The company manufactures and supplies complex electronic assemblies for the U.S. Department of Defense and international military customers, including Improved Data Modems (IDM) with imagery transmission capabilities, Tactical Video Data Server and Digital Video Recorder solutions, and the AN/ALE-47(V) Countermeasures Dispenser System (CMDS) used on a wide range of military aircraft. The company is FAA Part 21, FAA Part 145, ISO 9001:2008, and AS9100 certified, signaling deep integration with the defense industrial base.

An intrusion at a supplier of electronic warfare and countermeasures equipment carries strategic weight beyond the immediate identity-theft risk to employees. Even if the disclosed data set is limited to personal information, ransomware actors typically perform broad reconnaissance and bulk file collection before deploying encryptors. Adjacent defense program data, technical drawings, supplier correspondence, and obsolescence-management records could plausibly have transited the same compromised systems. The roughly nine-month gap between detection in August 2025 and victim notification in May 2026 also illustrates how long downstream individuals can remain exposed to credential and identity abuse before they are even informed.

The Attack Technique

Extant has not publicly disclosed the initial access vector, the ransomware family involved, or the threat actor behind the attack. The notification confirms only that the activity was identified as ransomware and that unauthorized access enabled data theft prior to or alongside encryption activity, consistent with the now-standard double-extortion model.

For a defense industrial base manufacturer of Extant's profile, the most common observed access vectors in 2024 and 2025 ransomware incidents include exposed remote access services, exploited edge devices such as VPN concentrators and firewalls, phishing leading to credential theft, and abuse of third-party or managed service provider connections. Without IOCs or attribution from Extant, defenders in the aerospace and defense supply chain should treat the incident as a reminder that identity, edge, and third-party trust paths remain the dominant ingress points.

What Organizations Should Do

Defense industrial base suppliers and aerospace manufacturers should treat the Extant disclosure as a prompt to validate their own posture against the playbook common to ransomware crews targeting this sector:

1. Audit and harden external attack surface, with priority on VPN gateways, firewalls, and any remote management interfaces exposed to the internet. Confirm vendor patches for known-exploited edge appliances are current.
2. Enforce phishing-resistant multi-factor authentication on all remote access, privileged accounts, and email. Eliminate SMS and push-only MFA for administrators.
3. Segment HR, payroll, and engineering systems from general enterprise networks. The blast radius of a single domain compromise should not include both employee PII and program technical data.
4. Implement and exercise offline, immutable backups, and validate restoration timelines against a realistic encryption scenario rather than a clean-room test.
5. Hunt for staging behavior characteristic of pre-encryption data theft: large outbound transfers to cloud storage providers, archive utilities running on file servers, and unusual access to HR or finance file shares.
6. Review breach notification and incident response playbooks for defense customer reporting obligations under DFARS 252.204-7012 and emerging CMMC requirements, ensuring contracting officers are notified within mandated windows.

Sources: Government Aerospace Manufacturer Hit by Ransomware - ISSSource