Airbus has been forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year, according to reports.
The commercial and military aircraft-maker revealed in January that it suffered a cyber-attack resulting in unauthorized access to data, but this campaign is thought to be much bigger in scope.
Hackers have targeted UK engine-maker Rolls Royce and French tech supplier Expleo, as well as two other French Airbus suppliers, although none of the organizations confirmed the news to AFP.
Unnamed “security sources” told the newswire that the “sophisticated” attack on the companies focused on compromising the VPNs connecting them with Airbus networks.
The sources claimed that the hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems.
These are areas Chinese aircraft manufacturers are thought to be relatively weak in, while state-backed Comac is said to be struggling to gain certification for its C919 commercial airliner.
The notorious APT10 and the Jiangsu outpost of the Ministry of State Security, known as JSSD, have both been pegged as possible perpetrators.
“Our national security is at risk and it’s well past time to address this challenge with leadership and resources,” argued Jake Olcott, VP of government affairs at BitSight. “The entire defense supply chain has been under attack for years, and it’s not just the small companies that are vulnerable. Defense agencies must gain visibility immediately. We can’t afford to wait.”
Ilia Kolochenko, CEO of web security firm ImmuniWeb, added that third party risk management is still at an early stage in many organizations.
“The situation is largely exacerbated by different national and regional standards and best practices, often incompatible or contrariwise overlapping,” he argued.
“Globally recognized standards, such as ISO 27001, 27701 and 9001, can definitely ensure a baseline of security, privacy and quality assurance amid suppliers. One should, however, bear in mind that they are no silver bullet and some additional monitoring of suppliers handling critical business data is a requisite.”