01 ·
State-sponsored threat intel
We track APT28, APT41, Lazarus, MuddyWater active against the European aerospace supply chain: industrial espionage, IP theft, CAD models, avionics code, dual-use R&D. MITRE ATT&CK-mapped detection.
Aerospace sector, against APTs and supply-chain attacks.
The aerospace sector and its entire associated supply-chain economy are primary targets for state-sponsored APTs hitting industrial intellectual property, and for supply-chain attacks entering via email and cloud interconnections with suppliers and partners. Extended sector: OEMs, prime contractors, sub-supply, MRO, commercial space, R&D — the entire European aerospace economy.
Compliance
NIS2
ISO/IEC 27001
GDPR
Standards
MITRE ATT&CK
ECSS · space standards
AS9100 / EN 9100
IEC 62443 · OT
Why Fortgale for the aerospace sector
Three sector-specific constraints.
The aerospace sector is not "manufacturing like the others": the adversary is structured as a nation-state, the supply chain has 4-5 layers of depth with daily email and cloud interconnections, and industrial IP carries multi-year value. Three factors that radically change the cyber outpost required.
02 ·
Supply chain via email
BEC (Business Email Compromise) on compromised supplier accounts is the most exploited vector: substitute invoices, manipulated payment orders, payloads signed by trusted partners. AI detection on linguistic anomalies and patterns.
03 ·
Supply chain via cloud
Cloud interconnections are the new vector: OAuth consent phishing, tenant-to-tenant trust abuse, API key compromise, federation attack on shared SSO, injection in federated CI/CD pipelines. Cross-tenant oversight with UEBA.
APTs tracked · against the aerospace supply chain
Four state-sponsored groups.
Fortgale actively tracks these groups based on documented incidents against the European aerospace supply chain over the past 24 months. The TTPs are integrated into detection rules, IOCs feed the SOC.
Russia · GRU
APT28 (Fancy Bear)
Industrial espionage. Spear phishing on R&D technical staff, exploitation of Exchange and VPN 0-days. Long-time target of European aerospace supply chain.
China · MSS
APT41 / Mustang Panda
Long-term industrial espionage. Aerospace IP theft, persistent modifications to build servers, multi-year access. Civil aerospace and dual-use technologies.
North Korea
Lazarus / BlueNoroff
Industrial espionage + finance. Job-offer impersonation via LinkedIn against aerospace engineers, supply-chain attack on developer tooling and CI/CD.
Iran · MOIS
MuddyWater · APT34
Mass low-cost phishing, credential harvesting, persistence via PowerShell. Pivoting to regional supply-chain partners.
Supply chain attack · email + cloud
Two vectors, one compromised supply chain.
78% of attacks on the aerospace sector in 2025 don't enter through the victim's direct perimeter, but through a supply-chain link: a supplier, a partner, an automated interconnection. Email and cloud trust relationships are the two dominant vectors.
Vector 1 · Email
Business Email Compromise & supplier phishing
The attacker doesn't spoof the supplier — they compromise the real supplier's email account and send legitimate-looking communications from there. Observed patterns: substitute invoices with a changed IBAN, payment orders from an impersonated CFO, firmware updates or technical documents carrying signed payloads. Fortgale detection: AI linguistic-anomaly checks, behavioural baseline on payment patterns, authenticated lookahead on lookalike domains, SOC-level correlation of email and network events.
Vector 2 · Cloud
SaaS interconnections, OAuth, tenant trust
Aerospace supply chains share cloud environments daily: federated Microsoft 365 tenants between OEMs and sub-suppliers, OAuth consent phishing on R&D accounts, API key compromise on ERP/CRM/PLM/MES integrations, federation attack on shared SSO, injection in federated CI/CD pipelines (e.g. GitHub Actions with partner secrets). Fortgale detection: cross-tenant UEBA, monitoring of unusual OAuth consent grants, continuous audit of Entra ID guest accounts, MITRE ATT&CK T1199 and T1078.004.
Proof · aerospace sector scale
Four numbers on the aerospace landscape.
4
State-sponsored APTs
tracked on EU supply chain
tracked on EU supply chain
180+
Threat actors
profiled and blocked
profiled and blocked
78 %
Attacks via
supply chain (email + cloud)
supply chain (email + cloud)
24·7
European SOC
for aerospace supply chain
for aerospace supply chain
Sector · verified numbers
European aerospace · the scale of risk.
The European aerospace economy groups thousands of pure-sector companies — OEMs, primes, sub-suppliers, MRO, commercial space — with over 70% in export. Including supply-chain induced activity (specialised logistics, certification, R&D), the industrial base exceeds tens of thousands of companies. This is the base state-sponsored APTs target — and which NIS2 classifies as essential for the space sector.
Source · sector federations 2025
Thousands of pure-sector SMEs
European aerospace federations: OEMs, prime contractors, mechanical and electronic sub-suppliers, embedded software, MRO. ~92% are SMEs below 250 employees — the most exposed and least defended segment of the supply chain.
Source · Clusit 2026 H1
+58% EU incidents 2025
Year-over-year growth of documented attacks against European aerospace targets. 67% attributed to state-sponsored groups, APT28 and APT41 the most recurring.
Source · ENISA Threat Landscape 2025
78 % via supply chain
ENISA estimate of the share of incidents in the aerospace sector entering via supply chain (email BEC, cloud federation, compromised partners) rather than direct perimeter. Mean time-to-detection: 287 days.
Source · National CSIRT reports 2025
Majority of space incidents
Most serious space-sector incidents reported to national CSIRTs over the past year involved compromise of R&D credentials or access to build servers and CAD repositories.
TTPs observed · last 24 months
Real tactics against the aerospace sector.
MITRE ATT&CK mapping of techniques Fortgale has observed in real incidents and intelligence advisories against European aerospace targets. Detections written and validated on customer SOCs, not theory.
T1566.001 · APT28 · APT41
Spearphishing Attachment
Office macro documents signed with valid certificates (stolen from partners). Recurring themes: "AS9100 certification update", "Tier-1 supplier notification", "OEM quality audit". Targets: R&D engineers, procurement directors, security managers.
T1566 · APT28 · BEC
Business Email Compromise
Real supplier email accounts used to send substitute invoices with changed IBAN, payment orders, technical documents with payloads. Mean access persistence before detection: 23 days.
T1190 · APT28 · MuddyWater
Exploit Public-Facing Application
Exploitation of unpatched legacy SSL VPNs (Pulse Secure, Fortinet FortiOS, Citrix NetScaler) as initial access. Mean time observed from public CVE to exploitation against European aerospace targets: 9 days.
T1078.004 · Lazarus · IAB
Valid Accounts · Cloud
Microsoft 365 credentials of R&D personnel acquired via infostealer logs (RedLine, Lumma, Vidar) and resold on underground forums. MFA bypass via session token hijack or token reissue.
T1199 · APT41 · Mustang Panda
Trusted Relationship · Supply Chain
Compromise of system integrators or software sub-suppliers with site-to-site VPNs to prime contractor systems. Mean persistence observed before detection: 187 days.
T1528 · APT29 · Cloud
OAuth Consent Phishing
Tricking R&D users into granting OAuth consent to malicious apps with Mail.Read, Files.Read.All, offline_access permissions. Persistence via refresh tokens, survives password reset.
Operating domains
Six areas of the aerospace sector.
01 · Sector
Aerospace OEMs & primes
Main manufacturers: airframes, engines, avionics, commercial satellites, propulsion systems. Multi-site perimeters with shared build servers and CAD repositories.
02 · Sector
Aerospace sub-supply
Mechanical and electronic components, embedded software, quality certification (AS9100, EN 9100). SMEs with mixed IT/OT perimeters — the most exposed link of the supply chain.
03 · Sector
Commercial space
Civilian satellite operators, ground segment, commercial payloads, Earth Observation, satellite telecommunications, commercial launchers. NIS2 essential entities.
04 · Sector
MRO & technical services
Maintenance, repair, overhaul: mixed IT/OT environments with proprietary tooling, connected aircraft diagnostic access, airworthiness-certification ERP.
05 · Sector
Logistics & distribution
Aerospace supply chains: specialised transport, cleanroom warehousing, batch traceability, supply-chain quality certifications.
06 · Sector
R&D and research centres
Universities, consortia, civilian R&D laboratories with access to national and European programmes (Horizon Europe, ESA). Recurring targets for pre-patent IP theft.
Related services
Three components for the aerospace sector.
CTI · proprietary
Cyber Threat Intelligence
180+ profiled actors, focus on state-sponsored APTs and access brokers active in the aerospace supply chain. Vertical reports and advisories.
Discover CTI →European SOC
MDR 24·7
MITRE ATT&CK-mapped detection, median containment ~11 min. Extended to critical sub-suppliers via shared SOC.
Discover MDR →IT/OT
Industrial cybersecurity
Pillar for critical manufacturing. Solutions for industrial machinery, production lines and MRO environments.
Discover →FAQ · Aerospace sector
Frequent questions from the sector.
Which cyber regulations apply to the aerospace sector in Europe?
NIS2 includes the space sector among essential entities and critical manufacturing (covering much of the aerospace supply chain) among important entities. To these add contractual requirements from OEMs and prime contractors (e.g. ISO/IEC 27001, NIST CSF, IEC 62443 for OT), ECSS standards for commercial space missions, and GDPR for personal data. Fortgale produces a single mapping matrix.
Why do state-sponsored APTs target the aerospace sector?
Three reasons: (1) extremely high-value intellectual property (designs, patents, avionics code, CAD models, dual-use R&D data); (2) access to a layered supply chain with hundreds of interconnected sub-suppliers; (3) ability to pivot to less-defended suppliers to reach large OEMs. Documented groups: APT28 (Russia), APT41 (China), Lazarus (North Korea), MuddyWater (Iran).
How do you defend the aerospace supply chain against email attacks?
Email supply-chain attacks are the most exploited vector: Business Email Compromise (BEC) with a real supplier account compromised, substitute invoices, manipulated payment orders, payloads signed by trusted partners. Four measures: (1) DMARC/DKIM/SPF enforcement; (2) AI detection on linguistic anomalies and payment patterns; (3) authenticated lookahead on lookalike domains; (4) MDR with SOC correlating email anomalies with network events.
What cyber risks arise from cloud interconnections with suppliers?
Cloud interconnections are the new supply-chain attack vector: (1) OAuth consent phishing on suppliers' Microsoft 365 tenants; (2) tenant-to-tenant trust abuse via Entra ID guest accounts; (3) API key compromise on SaaS integrations (ERP, CRM, PLM, MES); (4) federation attack on shared SSO; (5) injection in federated CI/CD pipelines. Fortgale monitors cross-tenant access with UEBA and MITRE ATT&CK-mapped detection (T1199, T1078.004, T1528).
Are European aerospace-sector companies NIS2 entities?
Yes. The space sector is explicitly included among NIS2 essential entities. Many European aerospace companies also fall under the critical manufacturing classification (important). When multiple qualifications coexist, the strictest prevails. Fortgale supports NIS2 self-assessment and control mapping.
State-sponsored APTs + supply chain · against the supply chain
Your adversary is not opportunistic.
When the target is the European aerospace supply chain, the attacker is structured, funded and patient — and often enters through a weak supply-chain link, not your direct perimeter. Request a threat briefing on the APT groups active against your sector and the supply-chain attack patterns observed via email and cloud.