Briefing 22: Jamming Attacks Affecting Space Systems and Implications for Global Security

6/11/2024

Executive Summary:

Jamming attacks have quickly become a prevalent threat to space systems, affecting satellite assets directly, as well as users of satellite services. Current and evolving geopolitical conflicts have highlighted the critical importance of GPS services and space-based communication for both national and international security, making them prime targets for disruption. The frequency of jamming attacks has surged from 2023 into 2024, with a significant jump beginning on Christmas Day when aircraft and vessels navigating between Sweden and Poland experienced high levels of interference, causing a loss of radio connectivity.

Interference activities, which include jamming, spoofing, and inadvertent interference are one of the most common styles of non-kinetic attacks affecting space systems today. Space ISAC analysts track much of this terrestrial jamming activity through internationally reported NOTAMs, captured from the Federal Aviation Administration and the International Civil Aviation Organization in addition to the Aviation Safety Reporting System (ASRS) database. These reports indicate a rise in jamming incidents, which are deliberate attempts to deny or degrade services. From 2023 to 2024, the percentage of NOTAMs indicating jamming increased from 21% to 33%, with 48 reported jamming attacks in 2024 alone, representing approximately 4 out of every 10 reported NOTAMs.

At a time of multiple ongoing geopolitical conflicts, the scope and scale of interference attacks have continued to worsen, perpetuated by a multitude of forces intent on degrading military and civilian communications. Recent events have shown that persistent levels of electromagnetic interference (EMI) have caused sustained impacts for a variety of GNSS users, most notably in telecommunications, aviation, maritime.

Analysts track this activity as “downlink jamming”, where satellite users are targeted to deny or disrupt incoming satellite communications. According to Aerospace’s SPARTA framework, GPS receivers are more vulnerable to downlink jamming, due to their wider field of view. These impacts have impacted GNSS services in areas of high geopolitical conflict, including the areas surrounding Russia, Ukraine, and the Middle East. The persistent jamming activities in these highly contested regions have raised the noise floor, complicating satellite communication with downlink terminals. This phenomenon has manifested in an uptick in Position, Navigation, and Timing errors, outages, and additional impacts affecting GNSS users.

In April 2024, GNSS interference affected 23 flight information regions in Finland, Estonia, and Latvia, forcing Finnair to cancel flights to Tartu airport in Estonia. The event caused widespread concern, with Finnair cancelling flights for the rest of May 2024, and Estonia’s foreign minister Margus Tsahkna referencing the activity as a “hybrid attack”, assessing it as a significant threat to the flight security.

From August 2023 to March 2024, over 46,000 flights in the Baltics, Black Sea, and Mediterranean regions were impacted by GPS/GNSS signal disruptions. The Baltic region has experienced persistent interference since 2022, with increased jamming reported since December 2023. Reporting from GPS The large-scale GPS jamming in the area has culminated in a variety of disruptions to sea and airspace. In March 2024, analysts identified a prolonged period of GPS jamming near the Baltic Sea lasting approximately 63 hours and impacting over 1600 aircraft. This event underscores the level of sustained impacts that this region has experienced over the last two years.

Additional impacts have been reported to maritime users, with an estimated 117 vessels experiencing navigation data manipulation via automated identification system (AIS) spoofing in April 2024. Research provided by Lloyd’s List, an open-source intelligence source for maritime data, shows that GPS jamming activities have surged in the Mediterranean and Black Seas, affecting an average of 35 ships daily in March 2024.

Interference activities are also being used to target space systems directly, as widespread outages have been reported affecting Starlink user terminals supporting Ukraine’s military forces. According to Ukraine’s digital minster Mykhailo Fedorov, Russia has developed new techniques to “disrupt the quality of Starlink connections” which have been critical to Ukraine’s war efforts. This activity was observed during Russia’s invasion of Kharkiv, where reports indicate Starlink terminals went offline for an undisclosed amount of time, directly impacting communication channels across the Ukrainian Military. This marks the second major incident in the past two years where satellite terminals have been directly targeted for military purposes, the first being the ViaSat attack in 2022 during the initial invasion.

The threat landscape for jamming attacks is continually evolving. As noted in several Space ISAC alerts in early 2024, downlink GPS signal jamming and interference have steadily increased, especially in areas of active geopolitical conflict. This activity underscores the need for robust backup systems and heightened awareness for GNSS users. As geopolitical tensions persist, the sophistication and frequency of these attacks are likely to increase. Continuous investment in research, technology, and international collaboration is necessary to stay ahead of these threats and ensure the security of space systems.

---

Briefing 21: Attacks on Edge Devices Surge; Multiple Critical Vulnerabilities Identified

5/13/2024

Executive Summary

Throughout Q4 2023 and continuing into Q2 2024, threat actors have continued their aggressive exploitation of zero-day vulnerabilities, leveraging them in initial access campaigns targeting edge network devices. These campaigns are assessed as a means of circumventing a target network’s intrusion detection systems, enabling lateral movement, malware deployment, and maintaining undetected persistent access for additional follow-on actions.

An edge device is any piece of hardware that controls data flow at the boundary between two networks. As such, attackers have modified their strategy of leveraging zero-day vulnerabilities to target edge network devices for Layer 2 attacks. Edge devices fulfill a variety of roles, depending on what type of device they are, and ultimately serve as network endpoints. Used by enterprises, service providers and government or military organizations, examples of edge devices include VPN appliances, routers, and firewalls. Due to the advantages of cloud computing and the Internet of Things (IoT), edge devices have been deployed in increasing quantities, and simultaneously have become a valuable target in cyberattacks.

The prevalence of vulnerabilities in edge devices provides multiple pathways for threat actors to pivot between networks and serves as a potential attack vector for operational environments. This is especially relevant to ground station architecture, where edge devices are a critical component in satellite command and control, as well as Ground Station as a Service (GSaaS) offerings that leverage edge cloud services for customer data. Additionally, edge computing allows industrial control systems (ICS) to handle more data while maintaining performance and security. Given the advantages of IoT, critical infrastructure across all sectors depends on ICS for safe and efficient operation. However, these systems can grant attackers the ability to avert security compliance via remote network access.

Notable Exploits

Ivanti: On 10 January 2024, researchers uncovered an exploit targeting two vulnerabilities in Ivanti Connect Secure solutions, believed to be active since December 2023. Since the identification of the initial exploits, Ivanti has disclosed several additional vulnerabilities in the platform, of which many have been targeted in the wild. Additional research identified five threat groups that have developed techniques for post-exploitation of Ivanti vulnerabilities. In total, research revealed eight distinct clusters of activity involved in the exploitation of Critical Vulnerabilities and Exposures (CVEs) found in Ivanti products. Recently, sophisticated threat actors infiltrated a space-related research and development network by leveraging multiple vulnerabilities on an external-facing Ivanti appliance. The vulnerability allowed the alleged nation-state hackers to conduct reconnaissance activity, bypass multifactor authentication and pivot throughout the network infrastructure.

Palo Alto Networks: On 10 April 2024, researchers at the security firm Volexity identified a vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS, which was exploited since early March 2024, in a threat cluster tracked as UTA0218. The CVE has a CVSS score of 10.0 and enables remote code execution. Since the initial exploit surfaced, Palo Alto Networks has released a series of hotfixes and mitigations for the flaw; however current reporting indicates that exploitation attempts are still being observed. According to ICS reporting from CISA, attackers have targeted versions of Siemens RUGGEDCOM APE1808 devices that are configured with Palo Alto Next Gen Firewall (NGFW) products.

Cisco: On 24 April 2024, Cisco Talos identified exploitation of two vulnerabilities in Cisco Adaptive Security Appliances. Reporting indicates that nation-state actors exploited these vulnerabilities to conduct espionage activities on government entities in a campaign tracked as "ArcaneDoor." Researchers noted the trend of attacks targeting edge network devices over the last two years, underscoring the impact that these exploits can have on companies.

Impact of Edge Device Vulnerabilities

In conclusion, the increasing trend of cyber campaigns exploiting zero-day vulnerabilities in edge devices underscores the critical need for enhanced security measures at the network edge. These vulnerabilities, often targeted for their potential to evade detection and enable persistent access, pose significant risks to critical infrastructure and operational technology across various sectors. As highlighted by recent exploits targeting prominent vendors and products, including Ivanti, Palo Alto Networks and Cisco, threat actors continue to evolve their tactics to target widely deployed edge network technology. These tactics are especially relevant to ground stations, which further underscores the urgency of addressing these risks in the space sector. As defenders continue to navigate this challenge, staying up to date with patches and security advisories are crucial for mitigating these risks.

---

Briefing 20: Aerospace Industry Targeted by Multiple Cyber Espionage Campaigns

4/17/2024

On 21 March 2024, researchers from Palo Alto Networks Threat Intelligence Team released a report on a campaign targeting job applicants in the aerospace and defense sectors. The campaign is attributed to Curious Serpens, a threat group that has been active since 2013. This specific campaign targets aerospace and energy sector entities in the United States, Middle East and Europe from 2022 – 2023.

While this campaign may seem like an isolated example, Curious Serpens’ actions underscore an emerging trend in the cyber threat landscape for space. These campaigns demonstrate the increased scope of state-backed threat groups that engage in intelligence collection, information stealing and commercial espionage. Through an analysis of this campaign, correlated with similar activity, we can gain insight into the evolving tactics and motivations of threat actors in the space sector, highlighting the need for enhanced cybersecurity measures to protect critical resources and sensitive information.

The most recent Curious Serpens campaign focused on the deployment of a custom backdoor called “FalseFont.” According to the report, Curious Serpens actors have conducted a series of job recruitment scams, luring victims to a fake job portal to trick users into entering valid credentials and then installing the backdoor. FalseFont is a sophisticated strain of malware that is used as a remote access and data exfiltration tool by connecting to the attacker’s command/control (C2) server to receive and execute commands, download/upload files, query file system information and harvest credentials. Additional analysis from Nextron Systems assesses that threat actors are likely using this tool to extract U.S. defense or intelligence-related documents, based on how the malware impersonates legitimate job application software.

The FalseFont campaign underscores both the sophistication of espionage-focused threat groups and the prevalence of job recruiting scams to collect information. This threat actor has previously targeted space industry organizations under the alias Peach Sandstorm via a widespread password spraying campaign observed from February to September 2023. The campaign targeted various organizations in the satellite, defense and pharmaceutical sectors on a global scale. Reporting from Microsoft Security threat intelligence assessed the activity as an initial access campaign, with the goal of “intelligence collection in support of Iranian state interests.”

Analysts note the similarities between the FalseFont campaign and previously observed espionage activity targeting space and related sectors. Over the last year, there have been several espionage-focused campaigns targeting space industry organizations. While the full impact of this threat activity is not fully known, we can assess with moderate confidence that these campaigns were successful in compromising these organizations, due to intrusion detections and data provided, such as malware hashes and indicators of compromise. Specific examples of this activity include a threat actor tracked as AeroBlade, who targeted an aerospace organization in a multi-phased espionage operation from September 2022 – July 2023, RedHotel, who targeted the aerospace industry at a global scale between 2021 and 2023, and UNC1549, a campaign that leveraged fake job websites to deploy custom backdoors targeting aerospace and defense entities.

Each of these campaigns shares commonalities in both motive and execution, with the goal of exfiltrating sensitive information. Additional correlations can be drawn from the tactics, techniques and procedures of these threat groupings focused on gaining initial access through spear phishing, deploying custom malware and backdoors and exfiltrating data over C2 channels. Through this analysis, it is evident that the targeting of space industry organizations has intensified over the past year, with threat actors employing sophisticated tactics to infiltrate and compromise their targets. This trend highlights the evolving nature of cyber threats in the space sector and underscores the need for proactive security measures to mitigate the risk of espionage and data breaches.

This type of activity has become increasingly prevalent in the space threat landscape and remains a top priority for U.S. intelligence agencies. In a report published in 2023 by the National Counterintelligence and Security Center (NCSC), officials warned that foreign intelligence entities (FIEs) recognize the value of commercial space brings to the U.S. economy and national security, and threat actors may target space organizations to acquire “vital technologies and expertise.” The identified impacts are underscored by recently observed espionage activity and enumerate one of the more common ways that space organizations may be targeted. Additional findings reveal that many of these campaigns target employees of these organizations, as seen in the UNC1549 and Curious Serpens campaigns. This type of corporate espionage activity often is intended to facilitate IP theft or technology exchange, where threat actors take advantage of job-seeking individuals and seemingly legitimate corporate technology to exfiltrate sensitive data.

The targeting of job applicants and the use of fake job portals underscore the evolving tactics of these threat actors, posing a significant challenge to the cybersecurity of space organizations. These findings emphasize the urgent need for enhanced security measures and collaboration among industry stakeholders and intelligence agencies to protect critical infrastructure and sensitive information in the space sector.

---

Briefing 19: Implications for the Space Industry As Cyber Threat Actors Transition to Cloud Infrastructure Attacks

3/19/2024

Executive Summary

As organizations continue to migrate services to cloud-based solutions, trend analysis shows that cyber threat actors are making corresponding adjustments to this transition. According to officials from the Cybersecurity and Infrastructure Security Agency (CISA), advanced persistent threat (APT) actors are adapting their tactics, techniques and procedures (TTPs) to focus on initial access and disruption of cloud services. The advisory denotes observations from APT29 (aka Midnight Blizzard), which is assessed as a prominent threat actor within the cyber threat ecosystem and is primarily known for its broad scope of cyber espionage activity. According to a CISA assessment, APT29 is actively modernizing systems as government and commercial entities migrate resources to the cloud.

The findings from this report underscore a broader trend and one that has particular significance to the commercial space sector. Threat actors are shifting their targeting schemas from on-premise solutions to cloud services. This Threat Briefing is intended to assess the shift by threat actors to infiltrate cloud services and the correlation to the continued digitization of space ground architectures.

The Shift to Cloud Targeting

Analysis of past attack patterns shows that cyber threat actors such as APT29 have targeted on-premise, physical network environments in multiple cyber campaigns. Recent reporting reveals, however, that threat actors are increasingly targeting a wide range of cloud services for initial access and malware distribution. According to CISA and international partners, much of this shift is attributed to the continued modernization of industry. This transition to cloud-based infrastructure significantly alters the attack surface by requiring authentication to the cloud provider, subsequently driving changes in threat actor TTPs.

Some of the evolving tactics involve using brute force attacks and password spraying to gain access to service accounts, utilization of cloud-based token authentication and enrollment of new devices to gain unauthorized access. This observed activity underscores the increased use of valid accounts for initial access in threat actor campaigns. According to IBM X-Force’s Threat Intelligence Index, valid account compromises accounted for nearly one-third of cyberattacks in 2023. Additionally, the report states that 90% of the cloud assets made available for sale on the dark web were valid account credentials. These trends coincide with an increased number of intrusions on cloud environments, which was up 75% in 2023, according to CrowdStrike’s 2024 Global Threat Report. Officials warn that this continued trend warrants an adjusted approach to cybersecurity, with a significant focus on defending and mitigating threats in cloud environments.

Implications for the Commercial Space Industry

The push for cloud-based infrastructure is increasingly relevant for the commercial space industry, particularly as it pertains to ground-based assets and the ground station-as-a-service (GSaaS) model. While adapting to hybrid solutions for ground station architecture is a logical and beneficial evolution for the industry, it is important to identify the inherent risks that come with it so that proactive defense measures can be implemented.

First, introducing internet-facing systems to ground architecture broadens the cyberattack surface significantly, opening a host of new endpoints and making it difficult to air-gap systems. As stated in the conference paper titled Ground Station as a Service: A Space Cybersecurity Analysis, “By introducing a familiar corporate IT environment by interfacing cloud services with ground stations, GSaaS increases the susceptibility of the ground station to techniques, tactics and procedures that organized crime groups are already highly proficient in.”

Second, the increased accessibility to GSaaS offerings via services like Azure Orbital and AWS Ground Station allows for reconnaissance activities from potentially malicious actors via increased visibility. “With access to cloud environments being affordable for small organizations and individuals, their inclusion in GSaaS equips even unsophisticated threat actors with the option of buying access to a ground station themselves and probing for vulnerabilities from the inside,” the paper states. These risks are furthered by the increased targeting of cloud-related assets by threat actors in recent years.

In general, transitioning components of the space architecture to cloud-based services introduces the risks of internet-facing IT environments, which inevitably exposes GSaaS providers to a host of threats that may not be factored into air-gapped physical architecture. This observation is underscored by the increasing adaptation of direct-to-device services, allowing users to interact with satellites from mobile platforms and representing a significant increase in attack surface. As the satellite services market becomes more competitive and accessible, it is important to consider the myriad of cyber threats, particularly those that are targeting cloud services. The growing digitization of space architectures creates a corresponding range of vulnerabilities to many of the most commonly observed TTPs, including the use of valid accounts, brute force techniques and internet-facing applications and services.

Defense and Mitigation

To address these vulnerabilities, the National Security Agency (NSA) released a list of ten cloud mitigation strategies, providing organizations a guide to harden security in cloud environments. The best practices include using secure cloud identity and access management, implementing network segmentation and encryption in cloud environments and managing cloud logs for effective threat hunting. NSA officials reiterate that while the cloud can enhance IT efficiency and security, the aggregation of critical data also renders cloud services an appealing target for adversaries. This sentiment is especially germane to the commercial space industry. As more service providers transition to the cloud, it underscores the need for proactive and innovative approaches to defense in securing cloud environments.

---

Briefing 18: Living off the Land Techniques Pose a Persistent Cyber Threat to Space, Critical Infrastructure

2/20/2024

On 7 February 2024, several international government agencies released an advisory detailing how state-sponsored actors are achieving persistent access to U.S. critical infrastructure. Their findings correlate observed behavior from several sophisticated hacking entities over the last two years, highlighting the prevalence of Living off the Land (LOTL) techniques as both a favored initial access vector and a challenge for network defenders. Network-based attacks of this nature are particularly alarming for the space industry due to its complex network topology and ongoing digitization of ground stations, supported by the widespread adoption of the ground station-as-a-service (GSaaS) framework.

The adoption of LOTL techniques has gained traction in recent years, underscored by its use in several high-profile campaigns conducted since 2021. In many instances, threat groups are employing these tactics to gain persistent access to IT networks for disruptive cyberattacks against critical infrastructure, as stated by officials at the Cybersecurity and Infrastructure Security Agency (CISA). These recent developments follow observed activity from a slew of sophisticated cyber threat actors who have found success through the exploitation of small office/home office (SOHO) routers and other edge network devices. Notable examples include campaigns by BlackTech, BianLian and Volt Typhoon threat actors.

BlackTech is categorized as a cyber espionage group and has been active since 2012, most recently involved in a campaign targeting Cisco network equipment in U.S. and Japanese organizations. This activity, detailed in Threat Briefing 14, demonstrates how threat actors have used LOTL techniques to modify router firmware images and leverage domain-trust relationships for persistent access.

BianLian, a ransomware as a service (RaaS) developer and provider, focuses on extortion-based attacks targeting U.S. critical infrastructure sectors. With a name that translates loosely to “the art of changing faces,” BianLian is an adaptive threat group that has used LOTL tactics for reconnaissance and lateral movement to infiltrate network environments in the U.S.

Volt Typhoon is categorized as an advanced persistent threat (APT), has been active since 2021 and is a leader in the application of LOTL techniques. According to a Microsoft Threat Intelligence advisory in March 2023, Volt Typhoon has targeted critical infrastructure entities in Guam and the U.S., relying heavily on exploitation of local and network infrastructure, as well as living off the land binaries (LOLBins). To maintain persistence, the group leverages compromised SOHO network devices to obfuscate traffic and avoid detection.

The recent Joint Cybersecurity Advisory provides new insights into these group’s behavior, indicating that “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.” Officials assert that the purpose of these campaigns is to pre-position access on IT networks to enable lateral movement into operational environments, posing concerns to both manufacturing and supply chains for critical industries including space. Estimates claim that threat actors have used this approach to maintain persistence for over five years without significant detection.

The increasing use of Living off the Land techniques by cyber threat actors, as highlighted in the recent government advisory, presents a significant challenge for organizations, especially those in critical sectors like space. The correlation between the advisory’s findings and the observed behavior of sophisticated threat groups over the past year underscores the urgency for improved cybersecurity measures.

The cases of BlackTech, BianLian and Volt Typhoon demonstrate the diverse ways threat actors are leveraging LOTL techniques for malicious purposes, from cyber espionage to ransomware attacks. These groups’ ability to exploit network vulnerabilities and maintain persistence through compromised devices poses a serious threat to national security and the economy. As LOTL techniques continue to evolve, it is essential for organizations to remain vigilant and proactive in their cybersecurity efforts to protect against these sophisticated cyber threats.

---

Briefing 17: Surge in Telecommunications Cyberattacks Pose Implications for the Global Space Industry

1/23/2024

In December 2023, one of the largest telecommunication firms in Ukraine was taken offline by a cyberattack, leaving millions of Ukrainian citizens without mobile phone or internet service for an extended duration. This attack marked a significant turning point in the cyber warfare of the Russian-Ukraine war and highlights a growing trend of cyber threat actors going after high-profile targets in the telecommunications sector. Since the Kyivstar attack in late 2023, there have been multiple cyberattacks targeting international telecommunications organizations contributing to this growing trend.

Examples of this activity include the Spanish telecommunications firm Orange, that was targeted by an info stealing malware, a cyberattack on the Malaysian telco Celcom, where the threat actor claimed to be selling the company’s source code, and most recently, a UAE-based satellite services provider, who allegedly has been the target of the notorious Anonymous Sudan hacking group. These recent attacks on telecommunications companies have had a range of effects, from minor financial impacts to significant outages or theft of proprietary information.

Regardless of the attack type or threat group responsible, it appears that many cybercriminals are finding value in compromising the broader communications sector. This could be due to the general impact on civilian and military operations, as reliable communication networks are a critical component of national security. This trend serves to only expand the threat landscape for the commercial space sector, as firms and users alike will shift to become more reliant on space to maintain or supplement communications, as is the case with Ukraine’s continued use of Starlink services. This expansion of reliance on satellites represents an increase in attack surface and may even position satellite services in the crosshairs of nation-states whose goal is to disrupt communications and other critical functions.

Another important correlation to consider is the role of space-based assets in supporting telecommunications infrastructure. Satellites play a crucial role in extending the reach of terrestrial telecommunications networks, especially in remote or underserved areas. However, this reliance on satellite-based communications also introduces new vulnerabilities that cyber threat actors may exploit. As the demand for satellite-based services continues to grow, ensuring the security and resilience of these systems against cyber threats becomes paramount for both the telecommunications and space industries.

Furthermore, the commercial space domain is increasingly reliant on interconnected networks and data systems for various operations, including satellite launches, space exploration missions and satellite-based services. These networks are susceptible to cyberattacks that can compromise sensitive data, disrupt operations or even sabotage space missions. The growing trend of cyberattacks on telecommunications firms underscores the need for robust cybersecurity measures across the entire space ecosystem.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.