On 21 March 2024, researchers from Palo Alto Networks Threat Intelligence Team released a report on a campaign targeting job applicants in the aerospace and defense sectors. The campaign is attributed to Curious Serpens, a threat group that has been active since 2013. This specific campaign targets aerospace and energy sector entities in the United States, Middle East and Europe from 2022 – 2023.

While this campaign may seem like an isolated example, Curious Serpens’ actions underscore an emerging trend in the cyber threat landscape for space. These campaigns demonstrate the increased scope of state-backed threat groups that engage in intelligence collection, information stealing and commercial espionage. Through an analysis of this campaign, correlated with similar activity, we can gain insight into the evolving tactics and motivations of threat actors in the space sector, highlighting the need for enhanced cybersecurity measures to protect critical resources and sensitive information.

The most recent Curious Serpens campaign focused on the deployment of a custom backdoor called “FalseFont.” According to the report, Curious Serpens actors have conducted a series of job recruitment scams, luring victims to a fake job portal to trick users into entering valid credentials and then installing the backdoor. FalseFont is a sophisticated strain of malware that is used as a remote access and data exfiltration tool by connecting to the attacker’s command/control (C2) server to receive and execute commands, download/upload files, query file system information and harvest credentials. Additional analysis from Nextron Systems assesses that threat actors are likely using this tool to extract U.S. defense or intelligence-related documents, based on how the malware impersonates legitimate job application software.

The FalseFont campaign underscores both the sophistication of espionage-focused threat groups and the prevalence of job recruiting scams to collect information. This threat actor has previously targeted space industry organizations under the alias Peach Sandstorm via a widespread password spraying campaign observed from February to September 2023. The campaign targeted various organizations in the satellite, defense and pharmaceutical sectors on a global scale. Reporting from Microsoft Security threat intelligence assessed the activity as an initial access campaign, with the goal of “intelligence collection in support of Iranian state interests.”

Analysts note the similarities between the FalseFont campaign and previously observed espionage activity targeting space and related sectors. Over the last year, there have been several espionage-focused campaigns targeting space industry organizations. While the full impact of this threat activity is not fully known, we can assess with moderate confidence that these campaigns were successful in compromising these organizations, due to intrusion detections and data provided, such as malware hashes and indicators of compromise. Specific examples of this activity include a threat actor tracked as AeroBlade, who targeted an aerospace organization in a multi-phased espionage operation from September 2022 – July 2023, RedHotel, who targeted the aerospace industry at a global scale between 2021 and 2023, and UNC1549, a campaign that leveraged fake job websites to deploy custom backdoors targeting aerospace and defense entities.

Each of these campaigns shares commonalities in both motive and execution, with the goal of exfiltrating sensitive information. Additional correlations can be drawn from the tactics, techniques and procedures of these threat groupings focused on gaining initial access through spear phishing, deploying custom malware and backdoors and exfiltrating data over C2 channels. Through this analysis, it is evident that the targeting of space industry organizations has intensified over the past year, with threat actors employing sophisticated tactics to infiltrate and compromise their targets. This trend highlights the evolving nature of cyber threats in the space sector and underscores the need for proactive security measures to mitigate the risk of espionage and data breaches.

This type of activity has become increasingly prevalent in the space threat landscape and remains a top priority for U.S. intelligence agencies. In a report published in 2023 by the National Counterintelligence and Security Center (NCSC), officials warned that foreign intelligence entities (FIEs) recognize the value of commercial space brings to the U.S. economy and national security, and threat actors may target space organizations to acquire “vital technologies and expertise.” The identified impacts are underscored by recently observed espionage activity and enumerate one of the more common ways that space organizations may be targeted. Additional findings reveal that many of these campaigns target employees of these organizations, as seen in the UNC1549 and Curious Serpens campaigns. This type of corporate espionage activity often is intended to facilitate IP theft or technology exchange, where threat actors take advantage of job-seeking individuals and seemingly legitimate corporate technology to exfiltrate sensitive data.

The targeting of job applicants and the use of fake job portals underscore the evolving tactics of these threat actors, posing a significant challenge to the cybersecurity of space organizations. These findings emphasize the urgent need for enhanced security measures and collaboration among industry stakeholders and intelligence agencies to protect critical infrastructure and sensitive information in the space sector.