Briefing 27: Adversaries Develop new Tactics for Breaching Air-Gapped Networks

10/29/2024

Executive Summary:

On October 7, security firm ESET disclosed a cyber campaign targeting air-gapped systems at a European government organization. This campaign, conducted between May 2022 and May 2024, has been attributed to GoldenJackal, an advanced persistent threat (APT) group known for its cyber espionage activity since 2019. GoldenJackal specializes in breaching isolated environments through modular toolsets that use removable media and network-adaptive malware to deliver and execute malicious payloads. The group’s prior breach of a South Asian embassy in 2019 underscores its focus on high-value isolated networks, indicating a sustained interest in circumventing traditional security boundaries.

Analysts assess these findings as a potential warning for critical infrastructure sectors that rely on air-gapped networks for secure operations. GoldenJackal’s activities expose vulnerabilities in non-internet-facing networks, demonstrating how removable drives—a commonly trusted medium for data transfer—can serve as entry points for sophisticated malware. This tactic highlights the evolving risk landscape for air-gapped networks, particularly in critical infrastructure sectors like satellite ground stations, which often rely on such systems to remain insulated from network-borne threats.

Toolset:

GoldenJackal’s toolkit leverages a modular .NET-based framework designed to operate across both internet-connected and isolated environments. Key capabilities include file exfiltration, credential theft and system information gathering. The toolkit adapts based on network connectivity, executing different actions depending on whether an internet connection is detected. For instance, in networked environments, it downloads additional payloads from command and control (C2) servers, which are then transferred to USB drives. When internet access is unavailable, it executes stored malware directly from the drive, allowing propagation within an air-gapped system.

GoldenJackal’s modular design enables it to split tasks across various components focused on collection, processing, distribution and exfiltration, facilitating a stealthy and highly adaptable approach. This adaptability reflects the group’s comprehensive understanding of secure network architectures and underscores their evolution from conventional network-based attacks to a refined approach suitable for penetrating air-gapped networks.

Threat to Critical Infrastructure:

GoldenJackal’s ability to infiltrate air-gapped networks without direct physical access represents a significant advancement in attack methodologies. Traditionally, air-gapped systems are isolated from network-based attacks, with entry points largely limited to authorized removable media. GoldenJackal bypasses this isolation by infecting user-owned drives with malware, allowing it to reach systems previously out of reach for remote actors. This method eliminates the need for physical access or the social engineering tactics typically required to distribute infected media, thus presenting a more scalable threat to isolated networks.

By challenging long-held assumptions about the security of air-gapped networks, GoldenJackal’s tactics underscore the vulnerability of critical infrastructure. Operational environments—such as water and wastewater systems in the U.S.—have previously been targeted using similar tactics to exploit vulnerabilities in programmable logic controllers and industrial control systems. This attack model may readily extend to satellite ground infrastructures, highlighting the broader risks facing critical sectors reliant on isolated systems for data integrity and operational security.

Potential Implications for the Space Sector:

Though there is no direct evidence of GoldenJackal targeting space assets, the group’s approach is highly relevant to the sector. Satellite control and ground infrastructure systems may limit internet connectivity and utilize secure, removable drives to update systems and transfer data in air gapped environments. These characteristics align closely with GoldenJackal’s toolkit and methods, which could be repurposed to breach similar isolated networks.

In the space domain, ground systems are vital for data transmission and satellite control. The compromise of these systems could disrupt operations, jeopardize data integrity and undermine secure communication. GoldenJackal’s adaptable toolkit and ability to leverage removable media as an attack vector highlight a pressing need for security measures that can anticipate and mitigate such advanced threats. As threat actors continue developing techniques to breach even the most secure network environments, it is imperative for organizations to account for these strategies across both networked and isolated systems.

Conclusion:

GoldenJackal’s campaign exemplifies how APTs are adapting their tactics to breach secure air-gapped networks traditionally viewed as impervious to remote cyber threats. By leveraging removable media as a bridge into isolated networks, GoldenJackal’s methodical approach exploits industry-standard practices for system maintenance and data transfer within air-gapped systems.

This campaign emphasizes the need for updated protocols governing removable media use and continued monitoring of advanced threat tactics targeting critical infrastructure. For sectors like space, which rely heavily on isolated networks, GoldenJackal’s toolkit illustrates the need for proactive defenses and an understanding that APTs are adapting traditional attack techniques to circumvent even the most robust network defenses. Ensuring the security of air-gapped systems remains a crucial objective as threat actors advance their capabilities to reach these highly secure environments.

---

Briefing 26: Active Cyber Threats to the Space Supply Chain: Analysis of the TIDRONE Campaign

10/2/2024

Executive Summary:

In September 2024, security firm Trend Micro published a report identifying a threat group named “TIDRONE”, which had conducted a cyber espionage campaign targeting entities in Taiwan’s military and satellite industries. Initial findings from the report revealed that TIDRONE actors are actively targeting both satellite industries and drone manufacturers, suggesting a coordinated effort to infiltrate high-value targets tied to aerospace and defense. Further analysis provided by security firm Acronis, which tracked the campaign under the alias "Operation WordDrone," adds key details regarding the exploitation of Taiwanese enterprise resource planning (ERP) software, indicating the campaign may be associated with a supply chain attack.

These activities are assessed as part of a wider trend of cyber espionage aimed at stealing sensitive information within the global military technology sector, including satellite and drone technology. Notably, several elements within this campaign highlight the escalating threat environment for the space industry, particularly the surge in drone production, its considerable overlap with space technology, and the significance of Taiwan as a hub for aerospace and military production.

Attack Pattern:

TIDRONE actors utilized enterprise resource planning (ERP) and remote desktop tools to deploy sophisticated malware toolsets identified as CXCLNT and CLNTEND.

These sophisticated malware families are specifically used to exploit system vulnerabilities and steal sensitive data. The CXCLNT strain is deployed for a range of purposes, most notably the uploading and downloading of files, and the collection of victim information, such as file listings and computer names. The CLNTEND malware is a remote access tool (RAT) that was first identified in attacks conducted in April 2024, and this RAT supports a wide range of network communication protocols.

This versatility allows attackers to adapt to different environments and ensures continuous data exfiltration, even in highly secured networks. Both malware variants play a pivotal role in stealing sensitive data, including intellectual property, and enable extensive system exploitation through lateral movement across compromised networks.

The group’s attack pattern involved a technique known as DLL side-loading, in which attackers manipulate the loading of dynamic link libraries (DLL) by hijacking a program’s library calls. In this instance, TIDRONE actors exploited an outdated version of Microsoft Word to load and execute malicious files. The attackers used a modified version of a legitimate DLL to act as a loader, which ran shellcode to decrypt and execute the CXCLNT and CLNTEND payloads. Researchers noted that the loader included additional features for persistence and defense evasion. Additional reporting shows that attackers used a tool called “EDRSIlencer” to avoid endpoint detection and firewall protections.

Supply Chain Attack:

Reports suggest this campaign may have been a supply chain attack, as it involved repeated targeting of the same ERP systems and remote access tools across multiple victim environments. Specifically, the attackers leveraged Virtual Network Computing (VNC) technology, particularly UltraVNC—a program that allows remote control of servers and clients—to launch malicious executables using side-loading techniques. Additional reporting from Acronis revealed that Taiwanese ERP software Digiwin was deployed in victim environments during the Operation WordDrone campaign. Researchers indicate that this platform may have been exploited as an initial access vector, due to vulnerabilities known to exist in the software’s components.

Significance to Space:

The space industry shares critical technological parallels with other sectors targeted by TIDRONE, particularly drone manufacturing. The use of remote access tools like UltraVNC in both industries is a notable overlap. As space companies often rely on remote systems to manage satellite ground stations and sensitive communication networks, the same techniques used to exploit these tools in other industries could be leveraged against space operations.

In the context of supply chain risks, the close relationship between space and drone manufacturers, particularly in regions like Taiwan, creates additional vulnerabilities. Taiwan’s role as a U.S. ally and a leader in technological innovation makes it a focal point for espionage campaigns, and any compromise in drone manufacturing could cascade into the space industry. Given the high value of intellectual property and operational data in space systems, successful infiltration by actors like TIDRONE could lead to far-reaching consequences for national security and commercial space operations alike.

Sector Targeting:

The TIDRONE campaign’s focus on ERP and remote access technologies aligns with similar methodologies seen in attacks on the space sector. Both sectors utilize these systems to maintain operational continuity, and their exploitation could disrupt essential services or enable widespread data theft. By targeting interconnected sectors like drone and aerospace manufacturing, TIDRONE actors seek to exploit supply chain weaknesses, increasing the potential for lateral movement into critical space infrastructures. The trend toward using VNC technologies across industries underscores the need for heightened cybersecurity awareness in the space industry.

---

Briefing 25: Peach Sandstorm Group Targets Space Sector in New Espionage Campaign

9/4/2024

Executive Summary:

Throughout 2024, there have been multiple sophisticated cyber campaigns targeting space organizations and related technologies. These attacks are often driven by the desire of nation states to gain a competitive advantage through access to sensitive information and technology exchange. One of the most prominent threat groups involved in these activities is Peach Sandstorm, an Iranian-sponsored actor known for its sophisticated cyber espionage operations. Peach Sandstorm has made significant strides in its operational capabilities, particularly in targeting the aerospace sector, deploying customized malware, and utilizing advanced social engineering tactics.

On 28 August 2024, Microsoft Defender Threat Intelligence released a detailed report on Peach Sandstorm’s latest campaign. This operation saw the deployment of a new multi-stage backdoor malware dubbed “Tickler”, used to target entities in multiple sectors, including satellite and communications. This latest campaign marks the third instance of space-targeting by this group between September 2023 and August 2024 and underscores the continued development of unique backdoors by Peach Sandstorm and other threat groups.

Attack Pattern:

Historically, Peach Sandstorm has employed password spraying in combination with social engineering tactics, often leveraging professional networking platforms like LinkedIn to trick individuals into revealing login credentials. For instance, in March 2024, researchers observed Peach Sandstorm (tracked under the alias Curious Serpens) using phishing lures aimed at job seekers in the aerospace and defense sectors. These lures were part of a broader strategy that ultimately led to the deployment of backdoor malware known as “FalseFont”. Peach Sandstorm’s prolonged activity has led the group to be classified as an advanced persistent threat (APT 33) by Mandiant.

In its most recent campaign, Peach Sandstorm has refined its tactics, techniques, and procedures (TTPs), incorporating the use of Microsoft Azure infrastructure for command and control (C2) services. This shift underscores the growing trend among sophisticated threat actors to exploit cloud services for malicious activities. This adaptation demonstrates Peach Sandstorm’s ability to evolve its approach in response to emerging technologies and defenses.

Overall, Peach Sandstorm’s recent operations have primarily focused on organizations operating in the aviation and satellite sectors, both in military and commercial contexts. Their choice of high-value targets suggests the group’s operations are designed to facilitate intelligence collection in support of state interests.

Tickler Malware:

The Tickler malware, central to Peach Sandstorm’s latest campaign, is a customized, multi-stage backdoor designed to download additional malware onto compromised systems. The payloads deployed by Tickler are capable of performing various malicious activities, including collecting system information, executing commands, deleting files, and facilitating data exfiltration to a C2 server. This malware represents a significant advancement in Peach Sandstorm’s capabilities, demonstrating the group’s continued focus on developing sophisticated tools for espionage purposes.

Microsoft’s report also highlights Peach Sandstorm’s increased reliance on LinkedIn for intelligence gathering and social engineering attacks. These techniques, combined with password spraying and other TTPs, have become hallmarks of Peach Sandstorm’s operations, allowing the group to successfully infiltrate and compromise high-value targets.

History of Space Sector Targeting:

Peach Sandstorm’s interest in the aerospace sector is not new. Beginning in 2016 and continuing into 2017, the group, known at the time as APT33, expanded its targeting to include aerospace and aviation-related organizations. During this period, they also targeted the petrochemical sector, using spear phishing emails designed to lure recipients with job vacancy announcements. These emails contained malicious attachments that, when opened, initiated a sequence of infections. In 2023, Microsoft observed password spray attacks targeting thousands of organizations that were directly attributable to Peach Sandstorm.

Between April and July 2024, Peach Sandstorm conducted the aforementioned cyber espionage campaign that leveraged Microsoft’s Azure infrastructure for C2 purposes. During this period, the group also conducted password spray attacks targeting the educational sector for infrastructure procurement, while focusing on the satellite, government, and defense sectors for intelligence gathering. The group also relied on social engineering efforts in attacks against organizations in the higher education, satellite, and defense sectors, targeting victims via the LinkedIn professional networking platform.

Table 1: Peach Sandstorm Targeting History

Time Period	Campaign Details
Apr – Jul 2024	Peach Sandstorm deployed “Tickler” backdoor in attacks against satellite, communications equipment, oil and gas, and government sectors in the United States and United Arab Emirates.
Dec 2023 – Mar 2024	*Curious Serpens threat actors deployed “FalseFont” backdoor by mimicking legitimate HR software and impersonating an aerospace organization.
Feb – Sep 2023	Peach Sandstorm targeted global satellite, defense, and pharmaceutical sectors in a series of password spraying attacks.
Mar 2023	Peach Sandstorm conducted a Golden SAML (security assertion markup language) attack to bypass authentication and access a target’s cloud resources.
2018 – 2019	*HOLMIUM conducted a series of cloud-based attacks against multiple organizations through password spray activities, exploitation of CVE-2017-11774, and the abuse of Microsoft Exchange services.
2016 – 2017	*APT33 targeted aerospace and energy sectors headquartered in the United States, Saudi Arabia and South Korea via destructive malware.
* Indicates alias of Peach Sandstorm threat group

Conclusion:

Peach Sandstorm’s continued targeting of the aerospace sector underscores the persistent and evolving nature of Iranian cyber espionage operations. The group’s ability to adapt its tactics, such as the use of cloud infrastructure for C2 operations and the deployment of customized malware like Tickler, highlights the growing sophistication of state-sponsored threat actors. Organizations looking to stay vigilant of these threats can review best practices for protecting against password spray attacks, as well as indicators of compromise (IOCs) associated with the Tickler Backdoor via Microsoft’s recent publication.

---

Briefing 24: Andariel Emerges as a Persistent Cyber Threat to Aerospace and Defense Entities

8/7/2024

Executive Summary

In recent years, the global space sector has become an increasingly attractive target for nation-state actors seeking to gain strategic advantages. These actors often engage in cyber espionage to steal sensitive information and intellectual property, aiming to either disrupt space sector entities or enhance their own national space programs. Over the last year, several notable cyber espionage campaigns have specifically targeted space entities. Among these, recent reports have highlighted the activities of Andariel, a North Korean-linked hacking group, that has launched a global campaign against defense, aerospace, nuclear, and engineering organizations across the United States, Japan, South Korea, and India. This campaign is a stark reminder of the prevalence of state-sponsored cyber threats and their ongoing efforts to infiltrate space-related industries for espionage and intelligence collection.

Attack Pattern

Known for its sophisticated tactics and strategic objectives, Andariel has recently expanded its operations to include ransomware attacks against healthcare providers, energy companies, and financial institutions worldwide. Recognized for its formidable capabilities, Mandiant has since classified Andariel as an advanced persistent threat (APT45), emphasizing its sophistication and pervasiveness.

Andariel's operational history indicates a consistent focus on military and governmental personnel, aiming to gain access to sensitive information such as contracts, design drawings, bills of materials, and other critical engineering documents. Recent reports also indicate that Andariel has intensified its efforts to infiltrate aerospace entities, seeking to extract valuable intellectual property and technological insights that could enhance its state's defense and nuclear programs. According to assessments from federal agencies, this intelligence is leveraged to support North Korea's military and nuclear ambitions.

Andariel's attack methodology reflects a sophisticated understanding of modern cyber vulnerabilities. The group prioritizes the exploitation of web servers, often targeting known vulnerabilities in widely used applications. Notably, the group has capitalized on the infamous Log4j vulnerability, an Apache-based flaw that has been exploited globally since 2021. Andariel's proficiency in weaponizing vulnerabilities is evident in its array of exploits that target applications and devices commonly used in a variety of industries. Many of the targeted platforms have specific applications to space technology, from message brokers like Apache ActiveMQ, which can be used to handle communications between satellite networks, as well as devices that provide edge security and load balancing like Citrix Netscaler. The exploitation of these systems has been a key component of Andariel's initial access campaigns over the past two years, highlighting the group's technical prowess and adaptability.

Beyond exploiting technical vulnerabilities, Andariel employs a variety of social engineering techniques to infiltrate target networks. Phishing remains a central tactic, with the group distributing malicious attachments and .zip files to unsuspecting victims. These phishing campaigns are meticulously crafted to deceive users into executing malware, thereby granting Andariel access to sensitive systems and information.

Space Sector Targeting

Recent intelligence reports indicate that Andariel has shifted its focus towards the aerospace sector, engaging in cyber espionage campaigns designed to exfiltrate intellectual property related to satellite technology and communications. This strategic pivot aligns with North Korea's broader objectives to advance its technological capabilities and bolster its defense and nuclear programs.

Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have documented Andariel's targeted attacks on aerospace entities, revealing the group's interest in satellite, satellite communications, and nano-satellite technology. In a recent advisory published by Microsoft Threat Intelligence on 25 July 2024, it was reported that Andariel, tracked under the alias "Onyx Sleet," deployed a Sliver implant—an open-source command-and-control (C2) framework—across multiple operators. This campaign, active from October 2023 to June 2024, successfully compromised several aerospace and defense sector entities, highlighting the group's capability to execute long-term, coordinated attacks on critical infrastructure.

Ransomware Operations

Andariel's activities are not limited to espionage. The group has been actively involved in ransomware attacks, particularly targeting the U.S. healthcare sector. This approach is consistent with North Korean state-sponsored groups' broader strategy of using ransomware to circumvent U.S. sanctions and fund more advanced cybercriminal operations. By deploying ransomware payloads, Andariel effectively blurs the line between espionage and cybercrime, utilizing financial extortion as a means to support its strategic objectives. These ransomware operations serve dual purposes: generating revenue and creating a smokescreen for more covert espionage activities.

Conclusion

Andariel's recent campaigns against aerospace entities represent a significant escalation in its cyber operations, underscoring the evolving threat to commercial space. The group's ability to exploit technical vulnerabilities, coupled with its strategic focus on extracting sensitive information, reinforces the importance of robust cybersecurity measures and international cooperation to mitigate these types of sophisticated threats. Andariel’s activities are not isolated incidents but part of a broader pattern of state-sponsored campaigns aiming to extract valuable information and technology from space sector entities. As space continues to emerge as a crucial frontier for national security and economic growth, understanding and countering these cyber threats is imperative for maintaining global stability and protecting the integrity of space operations.

---

Briefing 23: Space Sector at Risk as Ransomware Groups and Nation State Actors Collaborate

7/10/2024

Executive Summary:

Ransomware attacks have evolved from mere financial nuisances to critical threats that affect every major industry sector. With the rise of ransomware threats, the cyber threat landscape has become especially obscured with a host of new ransomware groups, affiliates, and state sponsored actors. In an environment where attribution is king, the constant rebranding and resurfacing of ransomware groups has made attribution of these threats difficult. Research from Sentinel Labs suggests that this complex attribution environment may be intentional, as ransomware is being used in coordination with state-sponsored espionage activities. By encrypting and holding data hostage, ransomware provides a perfect cover for illicit data exfiltration and intelligence-gathering activities, effectively obfuscating state-sponsored espionage under the guise of a typical cybercriminal operation.

Increasingly, ransomware groups appear to align their targeting with the geopolitical interests of nation-states. Pro-Russian ransomware groups have escalated their attacks on NATO entities, reflecting Russia's strategic goals and political tensions with the West. Similarly, Iranian threat actors have intensified their cyber assaults on Israeli and U.S. organizations, leveraging ransomware to further national objectives amid ongoing regional conflicts. These alignments suggest a deeper collaboration between criminal entities and state actors, where shared infrastructure and toolsets further enumerate the complexities of the cyber threat landscape for space.

Researchers at Sentinel Labs have released findings from two clusters of threat activity between 2021 and 2023. The majority of observed activity involved ransomware and exploitation techniques; however, reporting associates these actions with state-sponsored group ChamelGang. Researchers further suggest that the ransomware payloads in these campaigns were used as a tactic for obfuscation, specifically to cause misattribution of their actions as financially motivated, which could create plausible deniability for claims of espionage.

This technique has been observed multiple times in recent years by other advanced persistent threats (APTs). In 2021, researchers attributed an extended campaign to a threat grouping tacked as BRONZE STARLIGHT, which involved the use of several ransomware strains that were deployed to victim networks following the initial compromise. In 2022, the Sandworm APT group deployed ransomware alongside destructive wiper malware samples, demonstrating the use of tools commonly used by cyber criminals alongside state-sponsored activity. During that same timeframe, wiper malware samples were also deployed against satellite networks in Ukraine, causing outages in the region. Lastly, in 2022, researchers investigated a campaign, initially attributed to the BianLian ransomware group, that was revealed to be an intelligence gathering operation by the state-sponsored Lazarus group.

These are just a few examples of the use of ransomware tactics, techniques and procedures (TTPs) as cover for more sophisticated campaigns focused on espionage and data destruction. More recent examples of this potential alignment include an APT dubbed UNC1549 that has conducted cyber espionage activity targeting aerospace and defense sector organizations in the middle east over the last year. Concurrently, reporting shows a significant increase in ransomware attacks in the Middle East and Africa region, showing a 68% rise in victims over a similar period.

As the international space race intensifies, the incentives for cyber criminals to target space companies with disruptive cyber-attacks, including ransomware, have grown significantly. The space sector's strategic importance, coupled with its increasing reliance on digital infrastructure, also makes it an attractive target for nation-states seeking to disrupt critical services, gather intelligence, or sabotage rival space programs. New findings in the use of ransomware TTPs in these campaigns bring new significance to ransomware activity, as ransomware attacks could be indicative of a more serious threat.

Throughout 2024, Space ISAC has identified approximately 25 space-related organizations that were targeted by ransomware attacks, along with five separate espionage campaigns aimed at global aerospace and space sectors. This data is derived from Space ISAC’s Open-Source Cyber Analysis Report (OSCAR) and analysts emphasize that this figure may be conservative, as many ransomware attacks go unreported. This figure has continued to rise in recent years, perpetuated in some cases by geopolitical conflicts and an overall increased interest in the space sector as a target for opportunistic and strategic threat actors alike.

The growing use of ransomware and its potential alignment with espionage activity underscores the importance of reporting and understanding ransomware attacks of all kinds. Through detailed tracking and analysis of these incidents, the commercial space community can gain deeper insights into the methods and motivations behind these threats, ultimately improving defensive strategies and resilience against future attacks.

---

Briefing 22: Jamming Attacks Affecting Space Systems and Implications for Global Security

6/11/2024

Executive Summary:

Jamming attacks have quickly become a prevalent threat to space systems, affecting satellite assets directly, as well as users of satellite services. Current and evolving geopolitical conflicts have highlighted the critical importance of GPS services and space-based communication for both national and international security, making them prime targets for disruption. The frequency of jamming attacks has surged from 2023 into 2024, with a significant jump beginning on Christmas Day when aircraft and vessels navigating between Sweden and Poland experienced high levels of interference, causing a loss of radio connectivity.

Interference activities, which include jamming, spoofing, and inadvertent interference are one of the most common styles of non-kinetic attacks affecting space systems today. Space ISAC analysts track much of this terrestrial jamming activity through internationally reported NOTAMs, captured from the Federal Aviation Administration and the International Civil Aviation Organization in addition to the Aviation Safety Reporting System (ASRS) database. These reports indicate a rise in jamming incidents, which are deliberate attempts to deny or degrade services. From 2023 to 2024, the percentage of NOTAMs indicating jamming increased from 21% to 33%, with 48 reported jamming attacks in 2024 alone, representing approximately 4 out of every 10 reported NOTAMs.

At a time of multiple ongoing geopolitical conflicts, the scope and scale of interference attacks have continued to worsen, perpetuated by a multitude of forces intent on degrading military and civilian communications. Recent events have shown that persistent levels of electromagnetic interference (EMI) have caused sustained impacts for a variety of GNSS users, most notably in telecommunications, aviation, maritime.

Analysts track this activity as “downlink jamming”, where satellite users are targeted to deny or disrupt incoming satellite communications. According to Aerospace’s SPARTA framework, GPS receivers are more vulnerable to downlink jamming, due to their wider field of view. These impacts have impacted GNSS services in areas of high geopolitical conflict, including the areas surrounding Russia, Ukraine, and the Middle East. The persistent jamming activities in these highly contested regions have raised the noise floor, complicating satellite communication with downlink terminals. This phenomenon has manifested in an uptick in Position, Navigation, and Timing errors, outages, and additional impacts affecting GNSS users.

In April 2024, GNSS interference affected 23 flight information regions in Finland, Estonia, and Latvia, forcing Finnair to cancel flights to Tartu airport in Estonia. The event caused widespread concern, with Finnair cancelling flights for the rest of May 2024, and Estonia’s foreign minister Margus Tsahkna referencing the activity as a “hybrid attack”, assessing it as a significant threat to the flight security.

From August 2023 to March 2024, over 46,000 flights in the Baltics, Black Sea, and Mediterranean regions were impacted by GPS/GNSS signal disruptions. The Baltic region has experienced persistent interference since 2022, with increased jamming reported since December 2023. Reporting from GPS The large-scale GPS jamming in the area has culminated in a variety of disruptions to sea and airspace. In March 2024, analysts identified a prolonged period of GPS jamming near the Baltic Sea lasting approximately 63 hours and impacting over 1600 aircraft. This event underscores the level of sustained impacts that this region has experienced over the last two years.

Additional impacts have been reported to maritime users, with an estimated 117 vessels experiencing navigation data manipulation via automated identification system (AIS) spoofing in April 2024. Research provided by Lloyd’s List, an open-source intelligence source for maritime data, shows that GPS jamming activities have surged in the Mediterranean and Black Seas, affecting an average of 35 ships daily in March 2024.

Interference activities are also being used to target space systems directly, as widespread outages have been reported affecting Starlink user terminals supporting Ukraine’s military forces. According to Ukraine’s digital minster Mykhailo Fedorov, Russia has developed new techniques to “disrupt the quality of Starlink connections” which have been critical to Ukraine’s war efforts. This activity was observed during Russia’s invasion of Kharkiv, where reports indicate Starlink terminals went offline for an undisclosed amount of time, directly impacting communication channels across the Ukrainian Military. This marks the second major incident in the past two years where satellite terminals have been directly targeted for military purposes, the first being the ViaSat attack in 2022 during the initial invasion.

The threat landscape for jamming attacks is continually evolving. As noted in several Space ISAC alerts in early 2024, downlink GPS signal jamming and interference have steadily increased, especially in areas of active geopolitical conflict. This activity underscores the need for robust backup systems and heightened awareness for GNSS users. As geopolitical tensions persist, the sophistication and frequency of these attacks are likely to increase. Continuous investment in research, technology, and international collaboration is necessary to stay ahead of these threats and ensure the security of space systems.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.