A person wearing a hoodie is sitting in front of multiple computer screens displaying code and data in a dimly lit room.

Executive Summary:

Ransomware attacks have evolved from mere financial nuisances to critical threats that affect every major industry sector. With the rise of ransomware threats, the cyber threat landscape has become especially obscured with a host of new ransomware groups, affiliates, and state sponsored actors. In an environment where attribution is king, the constant rebranding and resurfacing of ransomware groups has made attribution of these threats difficult. Research from Sentinel Labs suggests that this complex attribution environment may be intentional, as ransomware is being used in coordination with state-sponsored espionage activities. By encrypting and holding data hostage, ransomware provides a perfect cover for illicit data exfiltration and intelligence-gathering activities, effectively obfuscating state-sponsored espionage under the guise of a typical cybercriminal operation.

Increasingly, ransomware groups appear to align their targeting with the geopolitical interests of nation-states. Pro-Russian ransomware groups have escalated their attacks on NATO entities, reflecting Russia's strategic goals and political tensions with the West. Similarly, Iranian threat actors have intensified their cyber assaults on Israeli and U.S. organizations, leveraging ransomware to further national objectives amid ongoing regional conflicts. These alignments suggest a deeper collaboration between criminal entities and state actors, where shared infrastructure and toolsets further enumerate the complexities of the cyber threat landscape for space.

Researchers at Sentinel Labs have released findings from two clusters of threat activity between 2021 and 2023. The majority of observed activity involved ransomware and exploitation techniques; however, reporting associates these actions with state-sponsored group ChamelGang. Researchers further suggest that the ransomware payloads in these campaigns were used as a tactic for obfuscation, specifically to cause misattribution of their actions as financially motivated, which could create plausible deniability for claims of espionage.

This technique has been observed multiple times in recent years by other advanced persistent threats (APTs). In 2021, researchers attributed an extended campaign to a threat grouping tacked as BRONZE STARLIGHT, which involved the use of several ransomware strains that were deployed to victim networks following the initial compromise. In 2022, the Sandworm APT group deployed ransomware alongside destructive wiper malware samples, demonstrating the use of tools commonly used by cyber criminals alongside state-sponsored activity. During that same timeframe, wiper malware samples were also deployed against satellite networks in Ukraine, causing outages in the region. Lastly, in 2022, researchers investigated a campaign, initially attributed to the BianLian ransomware group, that was revealed to be an intelligence gathering operation by the state-sponsored Lazarus group.

These are just a few examples of the use of ransomware tactics, techniques and procedures (TTPs) as cover for more sophisticated campaigns focused on espionage and data destruction. More recent examples of this potential alignment include an APT dubbed UNC1549 that has conducted cyber espionage activity targeting aerospace and defense sector organizations in the middle east over the last year. Concurrently, reporting shows a significant increase in ransomware attacks in the Middle East and Africa region, showing a 68% rise in victims over a similar period.

As the international space race intensifies, the incentives for cyber criminals to target space companies with disruptive cyber-attacks, including ransomware, have grown significantly. The space sector's strategic importance, coupled with its increasing reliance on digital infrastructure, also makes it an attractive target for nation-states seeking to disrupt critical services, gather intelligence, or sabotage rival space programs. New findings in the use of ransomware TTPs in these campaigns bring new significance to ransomware activity, as ransomware attacks could be indicative of a more serious threat.

Throughout 2024, Space ISAC has identified approximately 25 space-related organizations that were targeted by ransomware attacks, along with five separate espionage campaigns aimed at global aerospace and space sectors. This data is derived from Space ISAC’s Open-Source Cyber Analysis Report (OSCAR) and analysts emphasize that this figure may be conservative, as many ransomware attacks go unreported. This figure has continued to rise in recent years, perpetuated in some cases by geopolitical conflicts and an overall increased interest in the space sector as a target for opportunistic and strategic threat actors alike.

The growing use of ransomware and its potential alignment with espionage activity underscores the importance of reporting and understanding ransomware attacks of all kinds. Through detailed tracking and analysis of these incidents, the commercial space community can gain deeper insights into the methods and motivations behind these threats, ultimately improving defensive strategies and resilience against future attacks.