STELIA Aerospace North America Inc., a Nova Scotia-based subsidiary of Airbus Atlantic, has confirmed a cybersecurity incident after the Rhysida ransomware group listed the company on its data leak site and issued a 27 bitcoin ($2.07 million) ransom demand. The attackers claim to have exfiltrated 10 TB of data and gave the aerospace manufacturer a seven-day deadline before publication. The ransom is nearly double Rhysida's confirmed average of $1.08 million.
What Happened
Rhysida added STELIA Aerospace North America to its leak site, posting a proof pack and a countdown timer threatening to release stolen data unless the ransom was paid within seven days. STELIA confirmed the incident in a statement, saying it had detected the intrusion, activated its cyber defence protocols, and isolated affected systems to contain the threat. The company stressed that the compromise is "strictly contained to the Stelia North America IT environment" and does not impact the broader Airbus Atlantic network. A forensic investigation is underway with external cybersecurity experts, and STELIA is coordinating with relevant authorities.
What Was Taken
Rhysida claims to have stolen 10 TB of data from STELIA's North American systems. The proof pack published on the leak site includes screenshots of identity documents, an employee benefit plan form, and several technical drawings, indicating both personal data on staff and sensitive engineering material. The group also published a customer list that suggests the breach may extend to data shared with major aerospace and defense partners, including Lockheed Martin, Northrop Grumman, Sikorsky, Leonardo, L3Harris, Airbus Atlantic, Boeing, Bombardier, De Havilland, ARDE, and MDA. STELIA has not confirmed the scope of stolen data while its investigation continues.
Why It Matters
STELIA Aerospace manufactures fuselage sections and pilot seats for civil and military aircraft, placing it deep inside the aerospace and defense supply chain. Technical drawings and program documentation tied to platforms operated by Lockheed Martin, Northrop Grumman, Boeing, and Sikorsky carry implications well beyond a single victim. Even if direct partner systems were not breached, leaked design data, contract documents, and identity records can fuel follow-on supply chain phishing, intellectual property theft, and counterintelligence concerns. The incident also reinforces a pattern: Rhysida continues to prioritize high-leverage targets where the cost of public disclosure exceeds the ransom, and the pricing on STELIA reflects that calculus.
The Attack Technique
STELIA has not disclosed the initial access vector, citing investigation integrity. Rhysida, believed to share lineage with Vice Society, has been observed since May 2023 across 266 logged incidents, 110 of which were confirmed by victims. The group's typical playbook leans on phishing, valid credentials, and exploitation of internet-facing services for initial access, followed by Cobalt Strike or PsExec for lateral movement, credential harvesting, and exfiltration prior to deployment of its ChaCha20-based encryptor. The double-extortion model, leak site listing plus encryption, is consistent with how this incident has played out publicly.
What Organizations Should Do
- Audit external-facing services and VPN appliances for unpatched CVEs and enforce phishing-resistant MFA on every remote access path, including admin and contractor accounts.
- Hunt for known Rhysida and Vice Society indicators, including PsExec usage from non-admin hosts, suspicious Cobalt Strike beacons, and abnormal access to file shares containing engineering or HR data.
- Aerospace and defense primes that work with STELIA should treat shared technical documents and credentials as potentially exposed, rotate any shared secrets, and watch for targeted phishing referencing program details.
- Segment OT, engineering, and HR file repositories from general corporate networks, and require step-up authentication for bulk access to design data.
- Validate offline, immutable backups for critical engineering and ERP systems, and rehearse restoration on a clock that beats a seven-day extortion window.
- Update incident response playbooks to address public-leak extortion specifically, including pre-approved legal, regulatory, and customer notification templates for supply chain spillover.