top of page

How to protect valuable aviation and aerospace IP and R&D

  • Writer: ESET Expert
    ESET Expert
  • 11 minutes ago
  • 7 min read

ree

You can’t soar when your secrets are leaking below.


When the United States initiated the Advanced Technology Bomber program, better known as the B-2 Spirit, in the 1970s, the fast track to a cutting-edge stealth bomber tracked to the fact that the Northrop Corporation already had experience with mature flying-wing designs, which enabled the necessary low radar signature, as far back as 19421. Those prototypes, the Northrop XB-35 and YB-35B, were clearly reflected in the concept for the now famous B-2 Spirit and its successor, the B-21 Raider. 


That B-2 Spirit? While security was obviously tight, the B-2 program never faced the modern cyber threat landscape; if it had the single unit cost of $2.13 billion back in the 1990s, including development and engineering, it would have had to absorb significant cybersecurity costs too. Now, however, in an age where military secrets have leaked on public forums, even top-flight security can fall short. So perhaps the B-2’s 33-year genesis was lucky to conclude before widespread digitalization hit R&D.


Key points of this article:


  • Aviation and aerospace research and development (R&D) is quite expensive, with only a few companies having the resources (HR, talent, suppliers, etc.) to realize their plans


  • The sector is also made more valuable due to its overlap with national interests, with governments acting as benefactors and enablers of progress in the name of strategic opportunity.


  • Cybersecurity must be top-notch; however, high-profile security incidents at leading aviation companies suggest even the strongest security measures can falter due to negligence, human factors, use of legacy systems, and misconfigured or missing security layers.


  • As a result, the exposure of sensitive data to cybercriminals can cause project delays, budget woes, a loss of trust, reputation damage, stock devaluation, cancelation and more.


  • To prevent such cases, protection should be commensurate with the value of the IP protected, placing security not as an afterthought, but as a business priority.



A story of strategic interest


The advantage of having domestic companies at the forefront of technological development is incalculable. The U.S. government, especially its military, is known for in-depth and often exclusive cooperation with private companies to extend hard capabilities, helping iterate designs years ahead of what’s known by the public. At the same time, it’s a quid pro quo relationship, with aviation and aerospace companies accessing brain power and some R&D costs offset by government investment.


Behind all the nondisclosure agreements and red tape lies the fact that it's in the best interests of countries with world-beating aviation and aerospace industries to keep ahead. The same is true of China’s, Russia’s or even Iran’s aviation, aerospace and government community. However, breakthroughs are expensive, and so is the infrastructure that supports them. There’s a bit of a loophole here though — what you can’t create wholly at home is best stolen in the name of national interest. Isn’t copying the highest form of flattery?



To the danger zone

The sector has seen several security incidents in recent memory; 2021 saw the breach of Bombardier, a well-known Canadian aerospace manufacturer, with the Cl0p ransomware gang exploiting a vulnerability in their file-transfer app to steal data — from purposely isolated servers, no less.


Is network segmentation2, thus, failure-prone? It depends. In 2024, ESET Research discovered that the GoldenJackal APT group had been using a custom toolset to target air-gapped systems and steal confidential information from high-profile machines. This is important for two reasons:


  1. It confirms that not even air-gapping might be enough, with network segmentation failing to deliver on its promise.


  2. Breaching air-gapped networks is resource-intensive; therefore, the fact that GoldenJackal developed a sophisticated espionage and sabotage toolset in as little as five years doesn’t bode well for companies with valuable R&D and IP.


In a high-profile case from January 2025, the Japanese Aerospace Exploration Agency (JAXA) was breached through its vulnerable VPN by MirrorFace, an APT closely followed by ESET Research. The attackers reportedly stole documents on JAXA’s Martian moon (MMX) and manned lunar exploration plans, including sensitive files shared to the company by other partners, like NASA.


More money, more problems


But the end goal doesn’t necessarily need to be IP. As experienced by Boeing, one of the world’s premier defense and aerospace companies, monetary motivation for crime is enough. In 2023, a large amount of Boeing’s sensitive information was leaked by the LockBit gang following a ransomware attack demanding a $200 million ransom. 



Even the largest companies can have hidden security gaps. The Safran Group, a top aviation manufacturing company from France, had their systems leak sensitive data due to a misconfiguration. This left them vulnerable over a large period of time, which is rather dangerous for a business that supplies the sector’s giants like Airbus or national aerospace organizations.



Strictly personal


IP is still largely developed by our feeble human intellects. While that is bound to evolve with ever-increased AI assistance in the sector, human-led innovation is mostly vulnerable because of humans. A powerful example can be found via a high-profile phishing campaign by Lazarus group (aka HIDDEN COBRA) against a Spanish aerospace company in 2023 where the attackers contacted employees of the targeted company via a fake recruiter on LinkedIn. 


Employees were tricked into opening a malicious executable presenting itself as a coding challenge or quiz. Among the four execution chains, the attack delivered three types of payloads via DLL side-loading. The most notable payload included the LightlessCan backdoor, which introduced techniques to hinder detection by real-time security monitoring software and analysis by cybersecurity professionals. These campaigns are also likely to be scaled and accelerated with the assistance of AI.


Implications for the UAV industry in Europe?


The UAV sector is rapidly becoming a strategic priority across Europe, with governments investing heavily in drone technology and fostering partnerships with many Ukrainian manufacturers. Numerous start-ups and scale-ups are emerging to develop platforms, software and critical components — also making them attractive targets for state-sponsored cyberespionage. 


ESET’s latest findings show that Lazarus, a North Korea-aligned group, is actively targeting companies involved in UAV development, likely aiming to steal proprietary designs and manufacturing know-how. This underscores the urgent need for robust cybersecurity measures to protect intellectual property in this high-growth, high-risk sector.



Through the fire


The ramifications of a successful breach attempt vary, depending on the victim. For a manufacturer in aviation or aerospace and their supply chain, the most immediate dangers are:


  1. Disruptions: Cyberattacks can halt production, disrupt supply chains and raise budget costs due to recovery expenditures.


  2. Competitive loss: Leaked trade secrets may let rivals bypass costly R&D, undermining market leadership.


  3. Reputation hit: Breaches erode trust — leaked designs or processes can drive away current and future partners.


  4. Stock valuation: Attacks can lower share prices as well as shareholder confidence, as investors seek secure, stable returns.


  5. Vulnerabilities: Stolen proprietary code or trade secrets, especially in aviation systems, could expose critical zero-day risks that in the future could turn manufacturer incidents into operational incidents.



Mighty wings: Preventing disasters


There’s no easy way to say this — aircraft and aerospace IP and R&D security must be commensurate with the value represented by one’s cutting-edge designs. However, when even advanced measures like network segmentation fall short, where can the sector turn?



Audit and plan ahead


For the sector’s complex supply chains and deeply involved research partnerships, awareness of the state of a connected party’s security affairs is key. Always verify third-party risk exposure (vulnerabilities, attack surface size, their own suppliers’ risk envelopes, etc.) and establish a far-reaching security strategy with accountability for CISO or other respective security managers.



Layered security


The building blocks of aviation IP and R&D security start with the endpoints that the concepts and designs are saved on, with added protection served by further layers added to endpoint security, like detection and response for fast incident resolution, vulnerability, and patch management to address security holes, or threat intelligence to empower security analysts with the right view of their firm’s APT group-infested threat surface.



Managed Detection and Response (MDR)


Where businesses sit in supply chains, especially sensitive areas like aviation and aerospace or in the red-hot UAV and drone sub-sector, achieving immediate improvement security can pay big dividends. SMB clients can have confidence in your security posture and compliance status if you’ve retained a reputable MDR service, and your security teams can also benefit from further input concerning your security environment.


Insights gained here may lead to positive use cases for custom deployment and upgrades, premium support, or even customized solutions based on the types of threats and mitigation your business faces in this arena.



Identity and access management


Limit access to sensitive projects using role-based access controls and monitor insider threats with behavioral analytics, enabled by Extended Detection and Response (XDR) tools, for example. Moreover, use only secure collaboration platforms with external partners, or try to have them secured with cloud app protection.



Awareness


A great way to prevent security incidents is to educate the workforce on what not to do when they see a suspicious email in their mailbox, for example. This can prevent as much as 60% of breaches, taking care of the human factor proactively.


To infinity and beyond


There’s also something to be said for proprietary corporate solutions that are designed with a specific business environment in mind. ESET Corporate Solutions are here to help devise security tailored to one’s scope, size and assets in need of protection, even complicated air-gapped systems.



Won’t get fooled again


All in all, for aviation and aerospace, security should be positioned as mission critical, occupying equal billing with innovation programs, recruiting and retaining talent, and securing contract awards. It cannot be seen as a post-incident expense, but rather as a major part of the business’ strategy. To take flight or break orbit, the cost of innovation is high, but the cost of neglecting cybersecurity is even higher, as exemplified by the cases mentioned in this blog. Thus, protecting IP and research isn’t optional; it’s mission critical.

 
 
 

Comments

bottom of page