Advertisement
FIA2026 animated banner

News

Articles

Information

Resources

Advancing UK Aerospace, Defence, Security & Space Solutions Worldwide
  • Home
  • /
  • Aerospace
  • /
  • Context identifies group behind aerospace supply chain cyber attacks

Aerospace Defence Security

Context identifies group behind aerospace supply chain cyber attacks

Posted 3 October 2019
The Threat Intelligence and Incident Response Team at Context Information Security has identified a new threat group behind a series of incidents targeted at the aerospace and defence industries in the UK and Europe.

Named by Context as AVIVORE, the group is not previously publicly known or reported and Context believes it is responsible for the recently reported cyber attacks within the aerospace and defence supply chain: https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers

Context has been investigating attacks against large multinational firms that compromise smaller engineering services and consultancy companies in the supply chain for more than 12 months. The attackers use legitimate remote connectivity or other collaborative working solutions to bypass the generally well-defended perimeters and gain access to the target. This technique, referred to as ‘Island Hopping’, has also seen the adversary leverage chains of activity or connections across multiple business units or geographical locations within victim environments.

Advertisement
ODU RT

As a result of its discoveries, Context has been working closely with victims, security organisations and law enforcement agencies across Europe, including the UK’s National Cyber Security Centre (NCSC), in order to reduce the impact and prevent further compromises. In addition to aerospace and defence engineering victims, Context has seen AVIVORE target assets related to other verticals including automotive, consultancy, energy/nuclear and space and satellite technology. Context also assesses with moderate confidence that the objective of the campaign is intellectual property theft.

“Previous reporting into recent incidents affecting aerospace and defence have linked this activity to APT10 and JSSD (Jiangsu Province Ministry of State Security). Though the nature of the activity makes attribution challenging, our experience of the campaign suggests a new group that we have codenamed AVIVORE,” said Oliver Fay, Principal Threat Intelligence Analyst at Context.

Whilst AVIVORE has been observed operating in the UTC+8 timezone and makes use of the PlugX Remote Access Trojan shared with APT10 and other actors, the Tactics, Techniques and Procedures (TTPs), infrastructure and other tooling differ significantly. This leads Context to believe that this activity is attributed to a previously untracked nation-state level adversary.

Advertisement
ODU RT

AVIVORE has shown itself to be a highly capable threat actor, adept at both ‘living-off-the-land’ and masquerading its activity within the ‘business as usual’ activities of employees in its victim organisations. It has also shown a high degree of operational security awareness, including routinely clearing forensic artefacts as it progresses, making detection and investigation difficult.

“The capability of the threat actor makes detecting these incidents challenging, however the complex nature of the supplier relationship makes investigation, co-operation and remediation a significant issue,” said James Allman-Talbot, Head of Cyber Incident Response at Context. “When the organisation that has enabled the intrusion forms a critical part of your value chain, the operational business risk increases dramatically and difficult decisions need to be made in a short space of time.”

To mitigate against these attacks, Context recommends the following measures:
 
•    Impose access limitations on supplier connections over VPNs, such as preventing their use outside of the supplier’s business hours or from IP addresses and locations other than those pre-agreed and restrict access only to data and assets they require to perform their actions.
 
•    Ensure that security measures, such as multifactor authentication and enhanced auditing/logging are deployed to hosts and services into which suppliers are required to connect, in order to prevent or support the investigation of any suspicious user behaviour.
 
•    Ensure that external remote access services implement appropriate log retention. Logs should contain enough information on the sources of inbound connections to enable identification of anomalies, such as concurrent log-ins with impossible geography. 
 
•    Ensure that credentials for highly privileged accounts and remote services are stored securely and their use is appropriately monitored. Hosts such as domain controllers, sensitive file shares and Public Key Infrastructure servers, should also be subject to additional scrutiny and monitoring.
 
•    Where possible, applications, documentation and technical information related to network infrastructure and configuration of remote access services should be made available only to engineers, IT support staff and other individuals with legitimate business needs.

For a more detailed blog on AVIVORE, go to: https://www.contextis.com/en/blog/avivore 

Advertisement
Gulfstream banner
MGI conducts first TigerShark flights with Auterion

Aerospace Defence Security

MGI conducts first TigerShark flights with Auterion

2 April 2026

MGI Engineering Ltd (MGI) has announced the successful first flights of its TigerShark uncrewed deep strike platform, in partnership with Auterion.

Loganair, Royal Mail and BETA advance electric aviation operations

Aerospace

Loganair, Royal Mail and BETA advance electric aviation operations

1 April 2026

Loganair, Royal Mail and BETA Technologies, today announced the successful completion of the UK's first electric flight demonstration programme across Scotland's regional air network.

SYMCA grant unlocks Rolls-Royce investment in Rotherham ABCF

Aerospace

SYMCA grant unlocks Rolls-Royce investment in Rotherham ABCF

1 April 2026

Rolls-Royce has announced a £19.3 million investment in its highly specialised Advanced Blade Casting Facility (ABCF) in Rotherham, following a grant of £2 million from the South Yorkshire Mayoral Combined Authority (SYMCA).

Rolls-Royce to advance UltraFan 30 demonstrator through UNIFIED

Aerospace

Rolls-Royce to advance UltraFan 30 demonstrator through UNIFIED

31 March 2026

Rolls-Royce has secured €64million in funding from the European Union’s Clean Aviation Joint Undertaking (CAJU) to lead UNIFIED (Ultra Novel and Innovative Fully Integrated Engine Demonstrations), a collaborative research project supporting the development and planned ground testing of the UltraFan 30 demonstrator.

Advertisement
ODU RT
IATA sees strong air passenger and cargo demand growth for February

Aerospace

IATA sees strong air passenger and cargo demand growth for February

31 March 2026

The International Air Transport Association (IATA) has released data for February 2026 showing global passenger demand was up 6.1% and air cargo demand rose by 11.2%, compared to February 2025 levels.

CAA publishes Initial Proposals for Heathrow H8 price cap

Aerospace

CAA publishes Initial Proposals for Heathrow H8 price cap

31 March 2026

The UK Civil Aviation Authority (CAA) has today published its Initial Proposals for the maximum fees that Heathrow Airport Limited (HAL) can charge airlines for using the airport for the H8 regulatory period, which runs from January 2027 until the end of 2031.

Advertisement
ODU RT
Advertisement
Gulfstream banner

News

Articles

Information

Resources

© 2026 Advance - All rights reserved

Website by Silkstream

The views expressed are not necessarily those of ADS or its members. No responsibility or liability is accepted by ADS, the editorial team or the publisher for any loss occasioned to any person, legal or physical, acting or refraining from action as a result of any statement, fact, figure, expression of opinion or belief contained within this site.

Advertisement
FIA2026 animated banner