European aircraft maker Airbus SE apparently has been hit by a number of cyberattacks that targeted the computer systems of its key suppliers in what is believed to be a coordinated campaign by hackers with links to China.
The claim came today from the AFP news agency, which said the hacks targeted aircraft engine market Rolls-Royce Holdings Plc and French engineering firm Expleo Group, among others, with the number of attacks totaling four in the last 12 months.
An Airbus spokesperson partially confirmed the report, saying that the company is “aware of cyber events,” and like any major high-tech industrial player, it is a target for “malicious acts.” The Airbus spokesperson added that it “continuously monitors” such threats through detection systems and can take “immediate and appropriate measures to protect itself at all times.”
“Airbus has long been considered a tempting target because of the cutting-edge technologies that have made it one of the world’s biggest commercial plane manufacturers, as well as a strategic military supplier,” the AFP report noted. Those behind the attacks were interested in technical documents relating to Airbus aircraft including details on engines used on the Airbus A400M and A350 planes suggesting that corporate espionage was the aim of the attacks
Chinese officials have not commented on the report, but the Middle Kingdom has previously denied that it was involved in any hacking activities.
Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE that cyber gangs have already been successfully targeting suppliers and other trusted parties of their victims for many years. “There is no need to undertake an expensive, time-consuming and risky assault of a castle if you can quickly get in via a loophole,” he said.
The problem, he added, is that most of the suppliers are battling to win bids in a highly competitive and turbulent global market and often ignore cybersecurity fundamentals.
“Implementation of information security at a level comparable to their VIP customers will boost their internal costs thereby considerably increasing their market prices making them uncompetitive,” he said. “Worse, large global companies such as Airbus have a great wealth of countless trusted third parties across the globe that it would be virtually unfeasible to keep an eye on how cybersecurity is implemented at their suppliers without skyrocketing monitoring and compliance costs.”
Indeed, he said, third-party risk management is still nascent in most of the organizations. That’s partly because shareholders likely won’t want their companies to spend a lot of money surveilling third parties at their own expense.