The commercial space industry has seen targeting from a myriad of cyber threat actors in recent years, ranging from relatively low-threat hacktivists to rogue cyber threat groups looking to steal critical information and build a reputation on the dark web. Among them, the most sophisticated are known as nation-state actors, or hackers that are funded by state governments to conduct targeted, malicious cyber campaigns, that often serve intelligence and military objectives.
What sets these types of cyber criminals apart from other hackers is that state-sponsored threat actors tend to participate in extortion activities for purposes of espionage and information stealing. This often translates to critical infrastructure targeting and, more recently, space technology. Threat actors with the “nation-state” designation are funded by foreign governments, which enable sophisticated capabilities, techniques, and additional protections for criminal activity. Prominent nation-state cyber activity has historically originated from U.S. adversaries China, Russia, Iran, and North Korea.
One of the most active nation-state actors, tracked as RedHotel (formerly TAG-22), is the latest cyber threat group reported to target the space industry. In a recent report published by Recorded Future, researchers detailed RedHotel's efforts between the years of 2021 and 2023, which involved campaigns targeting at least 17 countries across Asia, Europe and North America, impacting a slew of critical sectors including academia, government, telecommunications, and aerospace.
RedHotel specializes in targeting internet-facing assets and virtual technologies, which it supports through a multi-layered infrastructure designed for malware command and control, exploitation, and reconnaissance. RedHotel is reported to possess a large quantity of virtual private servers (VPS) indicating that their primary methodology involves long-term network access, enabled by command and control servers. Persistent access and extensive knowledge of proprietary networks are critical components of conducting successful cyberattacks on satellite networks. RedHotel has purportedly exploited public-facing applications to establish initial access in victim networks, a technique that can be leveraged to exploit VSAT technology like modems, satellite terminals, and ground stations. The group demonstrates a strong persistence in pursuit of its adversarial objectives, employing a mix of offensive security tools, shared capabilities, and well-tailored approaches. As such, RedHotel is assessed by multiple security firms as one of the most prominent cyber espionage threat groups.
As is the case for most major sectors, nation-state actors pose the greatest threat of persistent, targeted cyber activity. This is especially true when considering the aerospace and commercial space industries, where nation states looking to establish space dominance will leverage malicious cyber campaigns intent on exfiltrating proprietary information, denying critical capabilities, and establishing a competitive edge in the commercial space arena. A recent bulletin published by U.S. intelligence agencies warns that state-sponsored cyber threat actors, “recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets”. Recent activity from RedHotel underscores the prevalence of sophisticated cyber activity and the potential for state-sponsored actors to target the space industry.
Read more from Space ISAC.