Overview:
On 28 February 2025, analysts identified reports that an advanced persistent threat (APT) group tracked as APT41 (aka Winnti) has been conducting a cyber espionage campaign targeting manufacturing companies worldwide. The activity was reported by CheckPoint researchers who observed the group exploit a virtual private network (VPN) vulnerability in Check Point security gateways, allowing them to gain initial access to the networks of dozens of operational technology (OT) organizations. The aerospace and aviation supply chains, which are critical to commercial space infrastructure, were among the key targets of this campaign, according to additional reporting from Dark Reading.
Attack Pattern
APT41’s attacks leveraged a Check Point VPN vulnerability to infiltrate OT networks. Once inside, they utilized the Winnti malware, which incorporates a unique rootkit to conceal communications and employs stolen legitimate digital certificates to bypass security measures. APT41’s tactics were consistent with those observed in past campaigns, focusing on small and mid-sized OT organizations that often lack the cybersecurity resources of larger enterprises.
After establishing access, the attackers moved laterally across networks, escalating their privileges to gain access to domain controllers and other critical systems. A key element of their strategy involved deploying the modular ShadowPad backdoor, a well-known tool in Chinese cyber espionage operations. ShadowPad provided persistent remote access, enabling the exfiltration of sensitive aerospace and aviation manufacturing data.
Threats Targeting OT Organizations
On 20 February 2025, researchers at Trend Micro reported on a campaign that had similar targets and tools used. Researchers noted that ShadowPad was also linked to ransomware deployments in manufacturing and OT environments, with similar targets to those observed by Check Point. Notably, this activity aligns with Check Point’s findings on APT41’s exploitation of VPN vulnerabilities, suggesting a potential convergence between cyber espionage and financially motivated cybercrime. This overlap suggests a strategic pivot among China-sponsored threat clusters, where traditional intelligence-gathering operations are being supplemented by ransomware-based extortion schemes.
While historically, Chinese APT groups have focused on long-term intelligence collection, the introduction of ransomware into their toolkit signifies an evolution in their tactics. ShadowPad, previously used exclusively for espionage, is now being leveraged to deploy the NailaoLocker ransomware, indicating a dual-purpose approach. This method allows attackers to extract sensitive intellectual property while simultaneously disrupting operations through financial extortion, increasing the overall impact on victims.
Significance to the Space Sector:
Operational technology (OT) organizations play a foundational role in the aerospace and aviation supply chains, supporting manufacturing, logistics, and infrastructure operations essential to space systems. Many aerospace companies rely on OT environments to oversee critical manufacturing processes, including the production of satellite components, propulsion systems and avionics. The impact of these attacks to aerospace suppliers demonstrates the growing risk to commercial space operations, as the compromise of these organizations could disrupt supply chains and present a downstream access vector to aerospace organizations.
Conclusion
The cyber campaign led by APT41 underscores the growing intersection of espionage and cybercrime within the OT sector, particularly in industries critical to space exploration and defense. The exploitation of VPN vulnerabilities and deployment of ShadowPad malware reveal a calculated strategy to infiltrate supply chains, steal intellectual property and leverage ransomware for financial gain.
To mitigate these risks, organizations within the aerospace and commercial space industries must prioritize cybersecurity measures, including the timely patching of vulnerabilities, implementing strong access controls and increasing awareness of supply chain risks. As threat actors continue to evolve their tactics, a proactive and coordinated cybersecurity approach will be essential to safeguarding the future of space operations and critical infrastructure.
