The first attack was on 7 March and the second in May, according to indications on the Maze website. Both attacks were on the systems of VT San Antonio Aerospace which is based in Texas.
ST Engineering is based in Singapore and had 23,000 employees in 2016, according to Wikipedia. The company's revenue in 2019 was S$7.86 billion (A$8.08 billion). Its major owner is Temasek Holdings which holds a 50.15% stake.
The company's website says it has undertaken more than 700 smart city projects in 130 cities. It claims to have carried out projects in the defence, government and commercial segment in more than 100 countries.
About 1.5 terabytes of data are claimed to have been exfiltrated from ST Engineering by the Maze attackers.
In one leaked document obtained after the first attack, which iTWire has seen, the IT manager for the Texas firm, Michael Daly, has listed the systems and data attacked at the company.
The document says the Maze ransomware infected a number of systems at about 6am on the morning of 8 March.
Daly wrote that the next three days were spent in inspecting and completing data recovery.
"As the infection happened over a weekend, no significant data loss was identified. All systems were fully recovered," he wrote.
The attack was not detected by either McAfee software or Windows Defender. "The only indication that a platform was affected is renamed files and associated 'DECRYPT-FILES.txt' located in the same folder as encrypted files," Daly wrote.
Contacted for comment on Saturday, Ed Onwe, vice-president/general manager of VT San Antonio Aerospace, said: "VT San Antonio Aerospace discovered that a sophisticated group of cyber criminals, known as the Maze group, gained unauthorised access to our network and deployed a ransomware attack.
"At this point, our ongoing investigation indicates that the threat has been contained and we believe it to be isolated to a limited number of ST Engineering's US commercial operations. Currently, our business continues to be operational.
"Upon discovering the incident, the company took immediate action, including disconnecting certain systems from the network, retaining leading third-party forensic advisors to help investigate, and notifying appropriate law enforcement authorities.
"As part of this process, we are conducting a rigorous review of the incident and our systems to ensure that the data we are entrusted with remains safe and secure. This includes deploying advanced tools to remediate the intrusion and to restore systems. We are also taking steps to further strengthen the company's overall cyber security architecture.
"Trust between our company and all of our stakeholders — including our employees, customers and business partners — is core to our culture and business values. We are committed to responding to this incident transparently and proactively, and already have begun notifying potentially affected customers. We will be working with our customers and industry peers to share insights and any lessons learned so that they can learn from our experience."