Atlas Air and the Supply Chain Problem: How Unproven Claims Create Real-World Risk

By Kate O'Flaherty • 21 April 2026 • 7 min read

Ransomware group Everest’s claims it breached Atlas Air and its supplier Tsunami Tsolutions show how modern ransomware attacks are exploiting supply chain complexity to create risk — even where breaches are unconfirmed.

By Kate O’Flaherty

In February, the Everest ransomware group claimed to have siphoned 1.2TB of data from cargo airline Atlas Air. The claims posted on a dark web forum by the ransomware cartel were backed by screenshots of the allegedly stolen information, including technical Boeing aircraft data.

Days later, the hackers claimed they had also compromised US-based aerospace engineering support and information solutions provider Tsunami Tsolutions, referencing a smaller dataset in what appeared to be a coordinated supply chain attack.

Atlas Air denied the breach and Tsunami Tsolutions did not respond to Everest’s claims, but the incidents show how modern ransomware attacks are exploiting supply chain complexity and ambiguity to create risk — even where breaches are unconfirmed.

How can organisations strengthen resilience and defensibility in the face of uncertain, fast-moving threat scenarios that extend beyond their direct control?

Screenshot Issues

Everest claimed it had evidence of the Atlas Air breach, but the documents it produced could have easily been faked. Rather than releasing full data samples, the group posted screenshots of what it described as maintenance and repair documents, logistics records and parts catalogues.Screenshot-only claims sit in a deliberately ambiguous zone, says Sergiu Zaharia, PhD, CISO at Pentest-Tools.com. “But that ambiguity is the point,” he tells IO. “Everest doesn’t need to prove the breach definitively to generate pressure. It just wants to create enough doubt that the reputational and contractual risk of inaction outweighs the cost of engagement. That’s a well-established extortion mechanic.”

Researchers noted anomalies in the screenshots, including a reference to Malaysia Airlines that did not appear to have a direct relationship with Atlas Air. When Everest later claimed the attack against Tsunami Tsolutions, the screenshots showed similar types of information.

This raises legitimate questions about whether the data originated from Atlas Air’s systems at all, or from a supplier. The data could even have come from a shared platform, or “an unrelated source that the group bundled into a single claim for maximum leverage”, Zaharia suggests.

The credibility question is therefore less binary than it appears, says Zaharia. “The screenshots may not prove a breach of Atlas Air’s core systems. But they almost certainly prove that someone, somewhere in the supply chain, had documents of this type accessible in a way that allowed exfiltration.”

The claims involving Atlas Air and the Everest ransomware group illustrate a recurring pattern in modern cyber extortion: Threat actors publish screenshots and bold statements, while the targeted organisation denies compromise, says Tracey Hannan-Jones, information security consulting director, UBDS Digital.

In highly-interconnected sectors such as aerospace and air cargo, the downstream impact of these “unproven” incidents can still be significant, she says.

Verifiable leaks typically provide stronger signals. These include file trees, sample archives, hashes, timestamps, unique internal identifiers, or independent confirmation from affected third parties, says Hannan-Jones. Screenshots “rarely provide enough to validate provenance” without the victim’s internal telemetry, she says.

Real-World Risk

So, while there is no definitive proof that a breach took place, the claims still create real-world risks.

Denial of a breach doesn’t eliminate risk, it just changes its nature, says Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. “Once a credible threat actor makes a public claim, organisations face operational, regulatory and reputational consequences — regardless of whether it is substantiated.”

Denial is not the same as assurance, adds Rob Demain, CEO of e2e-assure. “Atlas Air’s statement that its systems were not compromised addresses only its own environment,” he points out. “It does not confirm or refute whether data associated with the organisation may exist elsewhere in the supply chain.”

This is the core supply chain problem, he says. “An organisation can assert control over its own systems, but not necessarily over the systems of suppliers who may store, process or access its data.”

Supply Chain Complexity

With interconnected data environments across operators, manufacturers and engineering partners, the aerospace sector provides a clear example of how third-party risk can propagate across an ecosystem.

Aerospace is one of the most instructive sectors for this problem because its supply chain complexity is “structural and unavoidable”, according to Zaharia. “A single aircraft programme involves thousands of suppliers across dozens of countries, connected through maintenance management systems, parts databases, logistics platforms and technical documentation repositories built for operational efficiency, not security. Many of those connections carry implicit trust that has never been explicitly validated.”

The resulting issue is supply chain opacity, according to Stew Parkin, CTO at Assured Data Protection. “Traditional third-party risk management — questionnaires, annual reviews, contractual assurances — simply isn’t built for highly interconnected ecosystems with multiple dependency layers and shared platforms.”

When something like the Atlas incident happens, organisations then run into the problem of proving a negative. “You can’t easily demonstrate that data wasn’t accessed, especially if exposure may have occurred via a partner,” says Parkin. “That gap between what’s known internally and what can be confidently communicated externally is where risk escalates fastest.”

Evolving Regulatory Expectations

The issue is set against a backdrop of increasing regulatory scrutiny around supply chain security, resilience and accountability. Network and Information Systems 2 (NIS2), the Digital Operational Resilience Act (DORA) and the emerging wave of critical infrastructure regulations across the EU are pushing accountability for supply chain security from the supplier up to the operator.

“Under NIS2, essential and important entities bear responsibility for managing cybersecurity risks in their supply chains, not just their own system,” says Pentest-Tools.com’s Zaharia. “That’s a meaningful shift from frameworks that treated supply chain security as a best practice to one that treats it as a compliance obligation with enforcement consequences.”

As accountability extends beyond an organisation’s own perimeter, firms also need to prove they have effective measures in place. “Expectations are shifting from ‘show me the policy to ‘show me how risk is identified, monitored and managed continuously’,” AvePoint’s Simberkoff says.

This places pressure on organisations to demonstrate a working model and examples of governance, decision making and response actions — particularly when incidents involve third parties or ambiguous breach scenarios.

Practical Steps

The supply chain threat is real, especially when claims are unproven. To counter this issue, experts recommend that organisations move beyond static supplier assurance models toward continuous, system-based oversight that provides visibility across data flows, dependencies and incident response.

In practical terms, this means focusing on visibility and integration rather than isolated controls, according to Simberkoff. She recommends mapping data flows, understanding where sensitive information resides and aligning suppliers to shared security and response expectations.

In the Atlas Air context, understanding which external parties had legitimate access to Boeing maintenance documentation and through which systems would be “the starting point for any meaningful response to the Everest claim”, says Zaharia.

It’s also key to validate your incident response plan against a supply chain compromise scenario specifically, Zaharia adds. “Most organisations have plans for breaches of their own systems. Far fewer have tested their response to a scenario where the breach is at a supplier, and the data in question may or may not be theirs, and the forensic evidence is incomplete.”

Integrated, framework-aligned management systems, such as those built around ISO 27001, also help. They provide a “common language and structure for managing risk across complex ecosystems”, according to Simberkoff. “Standards like ISO 27001 aren’t about compliance for its own sake. They allow teams to operationalise and enable continuous visibility, assurance, and accountability.”

This provides a demonstrable process to be able to say what you do, and prove it, she says. “In environments where supply chain risk is unavoidable, these frameworks help organisations move from reactive assurance to proactive governance, which is essential when dealing with ambiguity, third party claims and evolving threat models.”