As the commercial space sector prepares for continued growth internationally, 2024 has been marked by increasing threats to the resiliency of global space infrastructure. Space systems have been subject to a variety of cyber and non-cyber threats in 2024 so far, as the number of space faring nations continues to increase with a host of nation states intent on space superiority. Consistent with historical trends, critical infrastructure continues to be a focal point of cyber threat campaigns, which includes space and related sectors such as defense, manufacturing, and telecommunications.
Space ISAC’s Watch Center informs industry members and government partners of threat activity and works with our community and team of analysts to build unique insights to better the security and resiliency of our global space assets. Our 2024 Threat Assessment seeks to examine some of the most significant factors influencing the current and evolving threat environment for space.
Increased Threat Activity to Space Industry and Related Organizations:
Cyber activity targeting space organizations showed a significant increase in 2024, continuing trends observed in 2023. This activity is highlighted by multiple sophisticated campaigns focused on cyber espionage, alongside a bulk of attacks conducted by ransomware and hacktivist organizations.
In March of this year, researchers from Palo Alto Networks identified a campaign targeting job seekers in the aerospace and defense sectors. The campaign was attributed to a sophisticated actor, dubbed “Curious Serpens” by researchers, and focused on intelligence collection via a series of phishing lures aimed at space industry professionals. On July 25, multiple government agencies released a report on North Korean advanced persistent threats (APTs) targeting multiple critical sectors, including aerospace and defense. Additional reporting from Microsoft showed that a threat group tracked as Onyx Sleet used commercial off the shelf tools to compromise multiple aerospace and defense organizations over the last year. Overall, state-sponsored cyber threat groups demonstrate a specific focus on high-value targets in aerospace & defense sectors and represent the most significant threat to the commercial space industry.
Other recorded attacks were assessed as either extortion-based, to include ransomware, or disruptive, to include denial of service (DoS) attacks. Reported attacks of this type targeted manufacturing organizations and/or solutions providers that serve aerospace and defense industries, raising concerns about potential supply chain vulnerabilities. Analysts also note the increasing volume of data leaks and breaches involving defense and aerospace companies, which indicates that threat actors are pursuing double extortion techniques, where they look to sell or leak sensitive data that may include valid credentials, proprietary information, configuration logs, etc.
The commercial space industry continues to face a robust threat environment with a diverse set of threat actors to include ransomware groups such as Play, LockBit 3.0, and Medusa, hacktivist organizations such as CyberArmy and NoName 057(16), and state-sponsored actors such as Curious Serpens and Onyx Sleet.
Referenced Threat Briefings:
See Threat Briefing 17 for more information on Telecommunication Cyberattacks
See Threat Briefing 24 for more information on Onyx Sleet (aka Andariel)
See Threat Briefing 25 for more information on Cyber Espionage Campaigns
Evolution of Cyber Threat Actor Tactics, Techniques, and Procedures:
Threat actors continue to adapt their tactics, techniques, and procedures (TTPs) with a focus on maintaining persistence and avoiding detection in compromised networks. This trend is noted by the variety of initial access vectors and the increased sophistication of malware payloads.
Reporting derived from BlackBerry’s Global Threat Intelligence Report uncovered a 27% increase in attacks using unique malware compared to the previous reporting period. Examples from 2024 include FalseFont, which is an advanced backdoor that was used to target aerospace organizations, and the discovery of a new wiper malware strain called AcidPour, an evolution of the AcidRain malware which was used to target modems at the onset of the Ukrainian conflict.
Analysis of observed TTPs shows that threat actors continue to exploit public-facing applications as a leading initial access vector, alongside phishing and valid account use. Threat actors continue to target downstream suppliers to infiltrate larger organizations that may have more advanced prevention and detection capabilities. In addition to zero-day vulnerabilities, threat actors continue to leverage trusted sites and open repositories to host and deliver obfuscated files or information. Reporting indicates that repositories such as GitHub and the Python Package Index have been used to distribute malicious packages, in addition to other platforms. This trend underscores how threat actors are exploiting legitimate cloud services and trusted sites to host malicious infrastructure and explore new intrusion methodologies.
Lastly, cyber threats continue to adapt toolsets to target ICS and OT systems. Reporting from Dragos identified the ninth ICS focused malware that has been used to target the energy sector in Ukraine. The advancements in threats targeting ICS environments pose a potential risk that similar tactics could be employed against air-gapped ground stations that directly support space systems.
Referenced Threat Briefings:
See Threat Briefing 18 for more information on Living off the Land Techniques
See Threat Briefing 19 for more information on Initial Access Techniques
See Threat Briefing 20 for more information on FalseFont Backdoor
Edge Devices are a Focal Point in Cyber Campaigns
Sophisticated threat actors continue to target critical infrastructure with pervasive cyber-attacks aimed at commercial and cyber espionage, with an increasing focus on exploiting critical vulnerabilities in edge devices like firewalls, routers, and VPN appliances. Analysis from Mandiant shows that custom exploits for edge devices have become an increasingly used tactic in espionage activity, in particular campaigns attributed to Chinese and Russian state-sponsored cyber actors. Analysts continue to see well-resourced espionage campaigns targeting entities within the space, government, and defense sectors.
The prevalence of vulnerabilities in edge devices provides multiple pathways for threat actors to pivot between networks and serves as a potential attack vector for operational environments. This is especially relevant to ground station architecture, where edge devices are a critical component in satellite command and control, as well as Ground Station as a Service offerings that leverage edge cloud services for customer data.
According to Mandiant’s M-Trends report, two of the most targeted vulnerabilities in 2023 were related to edge devices. In 2024, several significant vulnerabilities in edge devices were exploited by threat actors, with Ivanti, Palo Alto Networks, and Cisco products being notable targets. These incidents highlight the growing trend of targeting edge devices, which serve as critical attack vectors, particularly in sectors like space and defense.
Referenced Threat Briefings:
See Threat Briefing 21 for more information on Edge Device Attacks
Geopolitical Tensions Influence Cyber Operations and Hybrid Warfare:
Ongoing geopolitical conflicts in Ukraine and the Middle East continue to influence politically motivated actors, manifesting primarily as disruptive cyber and electronic warfare-based threats. Cyber threats of this nature include ransomware groups like BlackBasta, who have targeted over 500 critical infrastructure entities in the last two years; Hacktivist groups such as Killnet and NoName057 who routinely target Western nations with DDoS attacks; and APTs like Sandworm who have played a critical role in ongoing military campaigns. Findings from dark web forums enumerate that politically motivated threat actors may target defense, government, and aerospace sectors due to the perceived role in these conflicts.
Additionally, the scope of electromagnetic interference (EMI) capabilities has escalated in tandem, as jamming activity continues to deny and degrade GPS/GNSS services resulting in disrupted airspace and communication networks in in areas of high geopolitical conflict, including the areas surrounding Russia, Ukraine, and the Middle East. Interference-based attacks may also be used to target space systems directly, as outages affecting Starlink user terminals in Ukraine were reported in May of this year.
Referenced Threat Briefings:
See Threat Briefing 22 for more information on EMI Attacks
See Threat Briefing 23 for more information on Politically Motivated Cyber Attacks
Dynamic Space Operations:
Adversary nations continue to develop and expand existing space and counterspace capabilities to include ASAT technology, dual use satellite assets, and electronic warfare capabilities. In February 2024, General Stephen Whiting, commander of U.S. Space Command, cautioned the growth in adversary military space and counterspace capabilities, citing China’s rapid increase in space-based surveillance capabilities, saying it had tripled in number since 2018 to 359 surveillance satellites. This rapid pace serves to augment the already contested space environment, where there is concern that newly launched satellites may have dual use capabilities intent on disrupting US and allied space assets.
In 2024, the US government issued several warnings pertaining to the launch of the Russian COSMOS satellites, with fears that they may be either direct ASAT weapons in the case of COSMOS 2576 or test beds for potential future ASAT capabilities related to COSMOS 2553. These concerns stem from warnings issued by the White House Intelligence Committee in February 2024 regarding Russian space Capabilities.
There is an increasing trend in launches involving a variety of payloads including reconnaissance satellites, spaceplanes, and multi-payload pairings. Numerous activities indicate dynamic operations such as launches into Low Earth Orbit (LEO), object tracking, and potential rendezvous and proximity operations (RPO) marked by close approach warnings and conjunction assessments. Examples of this activity include China’s Divine Dragon spaceplane, which has carried out multiple missions in 2024. Researchers have speculated that this spacecraft may have military applications, indicating it’s dual-use nature.
Space Environmental Factors:
Analysts also note generally heightened variability and impact in the space environment due in part to solar flares, space debris and other space weather-related activity. The period of Solar Maximum (Jan – Oct ’24) has led to increased solar activity, with fluctuations in solar wind speeds and coronal hole activity affecting satellite operations and terrestrial systems. This includes significant geomagnetic storms (G5-level), X-Class flares, and associated impacts on Global Navigation Satellite System (GNSS) reliability. In May 2024, NOAA’s Space Weather Prediction Center (SWPC) issued a geomagnetic storm warning, caused by multiple coronal mass ejection (CME) events. This storm was forecasted as a G4-G5, indicating the highest level on NOAA’s space weather scales, and ultimately caused a myriad of impacts to both terrestrial infrastructure and on-orbit assets.
Additionally, the continued proliferation of space debris raises concerns to space operators, with increased conjunction assessments requiring additional maneuvers to avoid hazardous space junk. This problem has worsened in 2024, with multiple breakup events generating hundreds of newly catalogued pieces of debris in LEO. In July 2024, reports indicated that a Russian satellite likely experienced a “low-intensity explosion”, generating more than 100 pieces of trackable space debris. This event was followed by another breakup event in August, this time of a Chinese rocket that broke up after delivering a batch of LEO satellites, generating over 300 pieces of observable space debris.
Explore More:
Podcast: Cyber, Satellite Security and the Space ISAC Vulnerabilities Lab
DDoS Attacks Pose Increasing Threat to Satellite and Ground Operators
Space ISAC Watch Center Prepares for Cyber Threats in Space
