Constellations is pleased to welcome Space ISAC as a regular contributor sharing information about real-world cybersecurity and other threats to space systems around the world. Learn more about ISACs including Space ISAC.

Space ISAC logo Space ISAC logo
Joel Francis
Joel Francis
Space ISAC Intelligence Coordinator
Space ISAC logo
Joel Francis
Joel Francis
Space ISAC Intelligence Coordinator
Threat Briefing

Helping the space industry stay aware of
incidents, threats & vulnerabilities

Helping the space industry stay aware of incidents, threats & vulnerabilities

Briefing 28: Spear-Phishing Campaign Highlights Growing Concern of Intellectual Property Theft Targeting Space Entities

11/27/2024 Link icon

A smartphone displaying the NASA logo with a blurred larger version of the logo in the background.

Executive Summary

In September, the U.S. Department of Justice indicted a Chinese national on charges of wire fraud and identity theft due to their attempts to fraudulently obtain computer software and source code belonging to NASA, in addition to other research entities and private companies. According to the DOJ statement, the individual utilized aggressive spear-phishing and social engineering tactics to conduct the compromise. The attack involved the use of email accounts that impersonated U.S.-based researchers and engineers to obtain restricted software and proprietary source code. The stolen tools were integral to aerospace engineering and computational fluid dynamics, with applications ranging from civilian research to advanced tactical missile development. The individual’s employer, Aviation Industry Corporation of China, is a state-owned aerospace and defense conglomerate, further underscoring the potential alignment of these activities with state interests.

The incident underscores the continued effectiveness of focused spear-phishing tactics to target even the most high-profile organizations. Even in 2024, spear-phishing remains one of the most effective initial access vectors in cyber campaigns. Its success lies in its targeted and deceptive nature, leveraging social engineering to exploit trust. According to the 2024 Verizon Data Breach Investigations Report, phishing attacks accounted for approximately 25% of breaches, with over 50% of those involving credential theft. Metrics from government sources reinforce this assessment. The FBI’s 2023 Internet Crime Report noted that phishing, including spear-phishing, was the most common attack vector, with nearly 300,000 cases reported resulting in $18 million in reported losses in the U.S. alone. Similarly, CISA highlights phishing in its “Top Routinely Exploited Vulnerabilities” advisory, identifying it as a persistent threat to both public and private sectors.

Spear-phishing tactics are often used alongside social engineering to conduct reconnaissance and espionage operations. Historical data shows that threat actors often target space researchers and organizations for espionage purposes, largely tied to technology exchange and theft of intellectual property. In a report released by the Office of the Director of National Intelligence, officials state that foreign intelligence entities, “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.” In the attack against NASA, the targeted software could enhance China’s aerospace and military capabilities, bypassing years of research and development costs. This aligns with broader trends of intellectual property theft driven by government-backed actors, as nation states compete for dominance in space.

This incident is just the latest in a series of cyberattacks targeting NASA, and other entities involved in aerospace research and development. Metrics from a 2024 report published by the US Government Accountability Office state that the space agency has experienced over 6,000 attacks in a four-year span. For example, in 2019, NASA revealed a significant breach where attackers compromised Jet Propulsion Laboratory networks through an unauthorized Raspberry Pi device. The breach raised concerns about supply chain vulnerabilities and endpoint security at the agency. Additional insights from the Space ISAC Watch Center have identified numerous claims of targeting NASA infrastructure in 2024 so far. Most of these attacks are aimed at disrupting NASA public resources or exfiltrating files from NASA databases and selling them on popular leak forums, demonstrating that threat actors of all calibers perceive NASA as a valuable target.

The NASA spear-phishing campaign exemplifies the intersection of state-sponsored espionage, cyber vulnerabilities and technological competition. As NASA and other agencies become increasingly reliant on advanced software for mission-critical operations, they must navigate a persistent threat landscape. By analyzing incidents like this and implementing robust countermeasures, the space industry can better protect its intellectual property and maintain technological confidentiality. The continued focus on spear-phishing highlights the need for a proactive, multi-faceted defense strategy that includes technological, educational, and legal measures. Addressing these challenges will require ongoing collaboration between government entities, private industry and international partners.


Briefing 27: Adversaries Develop new Tactics for Breaching Air-Gapped Networks

10/29/2024 Link icon

Abstract glowing USB key with an image of Earth inside, set against a dark, textured background.

Executive Summary:

On October 7, security firm ESET disclosed a cyber campaign targeting air-gapped systems at a European government organization. This campaign, conducted between May 2022 and May 2024, has been attributed to GoldenJackal, an advanced persistent threat (APT) group known for its cyber espionage activity since 2019. GoldenJackal specializes in breaching isolated environments through modular toolsets that use removable media and network-adaptive malware to deliver and execute malicious payloads. The group’s prior breach of a South Asian embassy in 2019 underscores its focus on high-value isolated networks, indicating a sustained interest in circumventing traditional security boundaries.

Analysts assess these findings as a potential warning for critical infrastructure sectors that rely on air-gapped networks for secure operations. GoldenJackal’s activities expose vulnerabilities in non-internet-facing networks, demonstrating how removable drives—a commonly trusted medium for data transfer—can serve as entry points for sophisticated malware. This tactic highlights the evolving risk landscape for air-gapped networks, particularly in critical infrastructure sectors like satellite ground stations, which often rely on such systems to remain insulated from network-borne threats.

Toolset:

GoldenJackal’s toolkit leverages a modular .NET-based framework designed to operate across both internet-connected and isolated environments. Key capabilities include file exfiltration, credential theft and system information gathering. The toolkit adapts based on network connectivity, executing different actions depending on whether an internet connection is detected. For instance, in networked environments, it downloads additional payloads from command and control (C2) servers, which are then transferred to USB drives. When internet access is unavailable, it executes stored malware directly from the drive, allowing propagation within an air-gapped system.

GoldenJackal’s modular design enables it to split tasks across various components focused on collection, processing, distribution and exfiltration, facilitating a stealthy and highly adaptable approach. This adaptability reflects the group’s comprehensive understanding of secure network architectures and underscores their evolution from conventional network-based attacks to a refined approach suitable for penetrating air-gapped networks.

Threat to Critical Infrastructure:

GoldenJackal’s ability to infiltrate air-gapped networks without direct physical access represents a significant advancement in attack methodologies. Traditionally, air-gapped systems are isolated from network-based attacks, with entry points largely limited to authorized removable media. GoldenJackal bypasses this isolation by infecting user-owned drives with malware, allowing it to reach systems previously out of reach for remote actors. This method eliminates the need for physical access or the social engineering tactics typically required to distribute infected media, thus presenting a more scalable threat to isolated networks.

By challenging long-held assumptions about the security of air-gapped networks, GoldenJackal’s tactics underscore the vulnerability of critical infrastructure. Operational environments—such as water and wastewater systems in the U.S.—have previously been targeted using similar tactics to exploit vulnerabilities in programmable logic controllers and industrial control systems. This attack model may readily extend to satellite ground infrastructures, highlighting the broader risks facing critical sectors reliant on isolated systems for data integrity and operational security.

Potential Implications for the Space Sector:

Though there is no direct evidence of GoldenJackal targeting space assets, the group’s approach is highly relevant to the sector. Satellite control and ground infrastructure systems may limit internet connectivity and utilize secure, removable drives to update systems and transfer data in air gapped environments. These characteristics align closely with GoldenJackal’s toolkit and methods, which could be repurposed to breach similar isolated networks.

In the space domain, ground systems are vital for data transmission and satellite control. The compromise of these systems could disrupt operations, jeopardize data integrity and undermine secure communication. GoldenJackal’s adaptable toolkit and ability to leverage removable media as an attack vector highlight a pressing need for security measures that can anticipate and mitigate such advanced threats. As threat actors continue developing techniques to breach even the most secure network environments, it is imperative for organizations to account for these strategies across both networked and isolated systems.

Conclusion:

GoldenJackal’s campaign exemplifies how APTs are adapting their tactics to breach secure air-gapped networks traditionally viewed as impervious to remote cyber threats. By leveraging removable media as a bridge into isolated networks, GoldenJackal’s methodical approach exploits industry-standard practices for system maintenance and data transfer within air-gapped systems.

This campaign emphasizes the need for updated protocols governing removable media use and continued monitoring of advanced threat tactics targeting critical infrastructure. For sectors like space, which rely heavily on isolated networks, GoldenJackal’s toolkit illustrates the need for proactive defenses and an understanding that APTs are adapting traditional attack techniques to circumvent even the most robust network defenses. Ensuring the security of air-gapped systems remains a crucial objective as threat actors advance their capabilities to reach these highly secure environments.


Briefing 26: Active Cyber Threats to the Space Supply Chain: Analysis of the TIDRONE Campaign

10/2/2024 Link icon

A worker in a high-visibility jacket and hard hat sits at a desk in front of a computer, leaning forward with their head in their hands, suggesting stress or fatigue.

Executive Summary:

In September 2024, security firm Trend Micro published a report identifying a threat group named “TIDRONE”, which had conducted a cyber espionage campaign targeting entities in Taiwan’s military and satellite industries. Initial findings from the report revealed that TIDRONE actors are actively targeting both satellite industries and drone manufacturers, suggesting a coordinated effort to infiltrate high-value targets tied to aerospace and defense. Further analysis provided by security firm Acronis, which tracked the campaign under the alias "Operation WordDrone," adds key details regarding the exploitation of Taiwanese enterprise resource planning (ERP) software, indicating the campaign may be associated with a supply chain attack.

These activities are assessed as part of a wider trend of cyber espionage aimed at stealing sensitive information within the global military technology sector, including satellite and drone technology. Notably, several elements within this campaign highlight the escalating threat environment for the space industry, particularly the surge in drone production, its considerable overlap with space technology, and the significance of Taiwan as a hub for aerospace and military production.

Attack Pattern:

TIDRONE actors utilized enterprise resource planning (ERP) and remote desktop tools to deploy sophisticated malware toolsets identified as CXCLNT and CLNTEND.

These sophisticated malware families are specifically used to exploit system vulnerabilities and steal sensitive data. The CXCLNT strain is deployed for a range of purposes, most notably the uploading and downloading of files, and the collection of victim information, such as file listings and computer names. The CLNTEND malware is a remote access tool (RAT) that was first identified in attacks conducted in April 2024, and this RAT supports a wide range of network communication protocols.

This versatility allows attackers to adapt to different environments and ensures continuous data exfiltration, even in highly secured networks. Both malware variants play a pivotal role in stealing sensitive data, including intellectual property, and enable extensive system exploitation through lateral movement across compromised networks.

The group’s attack pattern involved a technique known as DLL side-loading, in which attackers manipulate the loading of dynamic link libraries (DLL) by hijacking a program’s library calls. In this instance, TIDRONE actors exploited an outdated version of Microsoft Word to load and execute malicious files. The attackers used a modified version of a legitimate DLL to act as a loader, which ran shellcode to decrypt and execute the CXCLNT and CLNTEND payloads. Researchers noted that the loader included additional features for persistence and defense evasion. Additional reporting shows that attackers used a tool called “EDRSIlencer” to avoid endpoint detection and firewall protections.

Supply Chain Attack:

Reports suggest this campaign may have been a supply chain attack, as it involved repeated targeting of the same ERP systems and remote access tools across multiple victim environments. Specifically, the attackers leveraged Virtual Network Computing (VNC) technology, particularly UltraVNC—a program that allows remote control of servers and clients—to launch malicious executables using side-loading techniques. Additional reporting from Acronis revealed that Taiwanese ERP software Digiwin was deployed in victim environments during the Operation WordDrone campaign. Researchers indicate that this platform may have been exploited as an initial access vector, due to vulnerabilities known to exist in the software’s components.

Significance to Space:

The space industry shares critical technological parallels with other sectors targeted by TIDRONE, particularly drone manufacturing. The use of remote access tools like UltraVNC in both industries is a notable overlap. As space companies often rely on remote systems to manage satellite ground stations and sensitive communication networks, the same techniques used to exploit these tools in other industries could be leveraged against space operations.

In the context of supply chain risks, the close relationship between space and drone manufacturers, particularly in regions like Taiwan, creates additional vulnerabilities. Taiwan’s role as a U.S. ally and a leader in technological innovation makes it a focal point for espionage campaigns, and any compromise in drone manufacturing could cascade into the space industry. Given the high value of intellectual property and operational data in space systems, successful infiltration by actors like TIDRONE could lead to far-reaching consequences for national security and commercial space operations alike.

Sector Targeting:

The TIDRONE campaign’s focus on ERP and remote access technologies aligns with similar methodologies seen in attacks on the space sector. Both sectors utilize these systems to maintain operational continuity, and their exploitation could disrupt essential services or enable widespread data theft. By targeting interconnected sectors like drone and aerospace manufacturing, TIDRONE actors seek to exploit supply chain weaknesses, increasing the potential for lateral movement into critical space infrastructures. The trend toward using VNC technologies across industries underscores the need for heightened cybersecurity awareness in the space industry.


Briefing 25: Peach Sandstorm Group Targets Space Sector in New Espionage Campaign

9/4/2024 Link icon

The image shows a person holding a smartphone displaying a message labeled with a large red stamp that says 'SCAM!'

Executive Summary:

Throughout 2024, there have been multiple sophisticated cyber campaigns targeting space organizations and related technologies. These attacks are often driven by the desire of nation states to gain a competitive advantage through access to sensitive information and technology exchange. One of the most prominent threat groups involved in these activities is Peach Sandstorm, an Iranian-sponsored actor known for its sophisticated cyber espionage operations. Peach Sandstorm has made significant strides in its operational capabilities, particularly in targeting the aerospace sector, deploying customized malware, and utilizing advanced social engineering tactics.

On 28 August 2024, Microsoft Defender Threat Intelligence released a detailed report on Peach Sandstorm’s latest campaign. This operation saw the deployment of a new multi-stage backdoor malware dubbed “Tickler”, used to target entities in multiple sectors, including satellite and communications. This latest campaign marks the third instance of space-targeting by this group between September 2023 and August 2024 and underscores the continued development of unique backdoors by Peach Sandstorm and other threat groups.

Attack Pattern:

Historically, Peach Sandstorm has employed password spraying in combination with social engineering tactics, often leveraging professional networking platforms like LinkedIn to trick individuals into revealing login credentials. For instance, in March 2024, researchers observed Peach Sandstorm (tracked under the alias Curious Serpens) using phishing lures aimed at job seekers in the aerospace and defense sectors. These lures were part of a broader strategy that ultimately led to the deployment of backdoor malware known as “FalseFont”. Peach Sandstorm’s prolonged activity has led the group to be classified as an advanced persistent threat (APT 33) by Mandiant.

In its most recent campaign, Peach Sandstorm has refined its tactics, techniques, and procedures (TTPs), incorporating the use of Microsoft Azure infrastructure for command and control (C2) services. This shift underscores the growing trend among sophisticated threat actors to exploit cloud services for malicious activities. This adaptation demonstrates Peach Sandstorm’s ability to evolve its approach in response to emerging technologies and defenses.

Overall, Peach Sandstorm’s recent operations have primarily focused on organizations operating in the aviation and satellite sectors, both in military and commercial contexts. Their choice of high-value targets suggests the group’s operations are designed to facilitate intelligence collection in support of state interests.

Tickler Malware:

The Tickler malware, central to Peach Sandstorm’s latest campaign, is a customized, multi-stage backdoor designed to download additional malware onto compromised systems. The payloads deployed by Tickler are capable of performing various malicious activities, including collecting system information, executing commands, deleting files, and facilitating data exfiltration to a C2 server. This malware represents a significant advancement in Peach Sandstorm’s capabilities, demonstrating the group’s continued focus on developing sophisticated tools for espionage purposes.

Microsoft’s report also highlights Peach Sandstorm’s increased reliance on LinkedIn for intelligence gathering and social engineering attacks. These techniques, combined with password spraying and other TTPs, have become hallmarks of Peach Sandstorm’s operations, allowing the group to successfully infiltrate and compromise high-value targets.

History of Space Sector Targeting:

Peach Sandstorm’s interest in the aerospace sector is not new. Beginning in 2016 and continuing into 2017, the group, known at the time as APT33, expanded its targeting to include aerospace and aviation-related organizations. During this period, they also targeted the petrochemical sector, using spear phishing emails designed to lure recipients with job vacancy announcements. These emails contained malicious attachments that, when opened, initiated a sequence of infections. In 2023, Microsoft observed password spray attacks targeting thousands of organizations that were directly attributable to Peach Sandstorm.

Between April and July 2024, Peach Sandstorm conducted the aforementioned cyber espionage campaign that leveraged Microsoft’s Azure infrastructure for C2 purposes. During this period, the group also conducted password spray attacks targeting the educational sector for infrastructure procurement, while focusing on the satellite, government, and defense sectors for intelligence gathering. The group also relied on social engineering efforts in attacks against organizations in the higher education, satellite, and defense sectors, targeting victims via the LinkedIn professional networking platform.

Table 1: Peach Sandstorm Targeting History

Time Period Campaign Details
Apr – Jul 2024 Peach Sandstorm deployed “Tickler” backdoor in attacks against satellite, communications equipment, oil and gas, and government sectors in the United States and United Arab Emirates.
Dec 2023 – Mar 2024 *Curious Serpens threat actors deployed “FalseFont” backdoor by mimicking legitimate HR software and impersonating an aerospace organization.
Feb – Sep 2023 Peach Sandstorm targeted global satellite, defense, and pharmaceutical sectors in a series of password spraying attacks.
Mar 2023 Peach Sandstorm conducted a Golden SAML (security assertion markup language) attack to bypass authentication and access a target’s cloud resources.
2018 – 2019 *HOLMIUM conducted a series of cloud-based attacks against multiple organizations through password spray activities, exploitation of CVE-2017-11774, and the abuse of Microsoft Exchange services.
2016 – 2017 *APT33 targeted aerospace and energy sectors headquartered in the United States, Saudi Arabia and South Korea via destructive malware.
* Indicates alias of Peach Sandstorm threat group

Conclusion:

Peach Sandstorm’s continued targeting of the aerospace sector underscores the persistent and evolving nature of Iranian cyber espionage operations. The group’s ability to adapt its tactics, such as the use of cloud infrastructure for C2 operations and the deployment of customized malware like Tickler, highlights the growing sophistication of state-sponsored threat actors. Organizations looking to stay vigilant of these threats can review best practices for protecting against password spray attacks, as well as indicators of compromise (IOCs) associated with the Tickler Backdoor via Microsoft’s recent publication.


Briefing 24: Andariel Emerges as a Persistent Cyber Threat to Aerospace and Defense Entities

8/7/2024 Link icon

Engineers at an aerospace agency monitors satellite design and orbital trajectory data on computer screens in a high-tech lab.

Executive Summary

In recent years, the global space sector has become an increasingly attractive target for nation-state actors seeking to gain strategic advantages. These actors often engage in cyber espionage to steal sensitive information and intellectual property, aiming to either disrupt space sector entities or enhance their own national space programs. Over the last year, several notable cyber espionage campaigns have specifically targeted space entities. Among these, recent reports have highlighted the activities of Andariel, a North Korean-linked hacking group, that has launched a global campaign against defense, aerospace, nuclear, and engineering organizations across the United States, Japan, South Korea, and India. This campaign is a stark reminder of the prevalence of state-sponsored cyber threats and their ongoing efforts to infiltrate space-related industries for espionage and intelligence collection.

Attack Pattern

Known for its sophisticated tactics and strategic objectives, Andariel has recently expanded its operations to include ransomware attacks against healthcare providers, energy companies, and financial institutions worldwide. Recognized for its formidable capabilities, Mandiant has since classified Andariel as an advanced persistent threat (APT45), emphasizing its sophistication and pervasiveness.

Andariel's operational history indicates a consistent focus on military and governmental personnel, aiming to gain access to sensitive information such as contracts, design drawings, bills of materials, and other critical engineering documents. Recent reports also indicate that Andariel has intensified its efforts to infiltrate aerospace entities, seeking to extract valuable intellectual property and technological insights that could enhance its state's defense and nuclear programs. According to assessments from federal agencies, this intelligence is leveraged to support North Korea's military and nuclear ambitions.

Andariel's attack methodology reflects a sophisticated understanding of modern cyber vulnerabilities. The group prioritizes the exploitation of web servers, often targeting known vulnerabilities in widely used applications. Notably, the group has capitalized on the infamous Log4j vulnerability, an Apache-based flaw that has been exploited globally since 2021. Andariel's proficiency in weaponizing vulnerabilities is evident in its array of exploits that target applications and devices commonly used in a variety of industries. Many of the targeted platforms have specific applications to space technology, from message brokers like Apache ActiveMQ, which can be used to handle communications between satellite networks, as well as devices that provide edge security and load balancing like Citrix Netscaler. The exploitation of these systems has been a key component of Andariel's initial access campaigns over the past two years, highlighting the group's technical prowess and adaptability.

Beyond exploiting technical vulnerabilities, Andariel employs a variety of social engineering techniques to infiltrate target networks. Phishing remains a central tactic, with the group distributing malicious attachments and .zip files to unsuspecting victims. These phishing campaigns are meticulously crafted to deceive users into executing malware, thereby granting Andariel access to sensitive systems and information.

Space Sector Targeting

Recent intelligence reports indicate that Andariel has shifted its focus towards the aerospace sector, engaging in cyber espionage campaigns designed to exfiltrate intellectual property related to satellite technology and communications. This strategic pivot aligns with North Korea's broader objectives to advance its technological capabilities and bolster its defense and nuclear programs.

Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have documented Andariel's targeted attacks on aerospace entities, revealing the group's interest in satellite, satellite communications, and nano-satellite technology. In a recent advisory published by Microsoft Threat Intelligence on 25 July 2024, it was reported that Andariel, tracked under the alias "Onyx Sleet," deployed a Sliver implant—an open-source command-and-control (C2) framework—across multiple operators. This campaign, active from October 2023 to June 2024, successfully compromised several aerospace and defense sector entities, highlighting the group's capability to execute long-term, coordinated attacks on critical infrastructure.

A table titled 'Andariel Cyber Espionage Victimology' lists various industries (Defense, Aerospace, Nuclear, Engineering) and the specific types of information targeted within each industry.
Table 1: Andariel Cyber Espionage Victimology

Ransomware Operations

Andariel's activities are not limited to espionage. The group has been actively involved in ransomware attacks, particularly targeting the U.S. healthcare sector. This approach is consistent with North Korean state-sponsored groups' broader strategy of using ransomware to circumvent U.S. sanctions and fund more advanced cybercriminal operations. By deploying ransomware payloads, Andariel effectively blurs the line between espionage and cybercrime, utilizing financial extortion as a means to support its strategic objectives. These ransomware operations serve dual purposes: generating revenue and creating a smokescreen for more covert espionage activities.

Conclusion

Andariel's recent campaigns against aerospace entities represent a significant escalation in its cyber operations, underscoring the evolving threat to commercial space. The group's ability to exploit technical vulnerabilities, coupled with its strategic focus on extracting sensitive information, reinforces the importance of robust cybersecurity measures and international cooperation to mitigate these types of sophisticated threats. Andariel’s activities are not isolated incidents but part of a broader pattern of state-sponsored campaigns aiming to extract valuable information and technology from space sector entities. As space continues to emerge as a crucial frontier for national security and economic growth, understanding and countering these cyber threats is imperative for maintaining global stability and protecting the integrity of space operations.


Briefing 23: Space Sector at Risk as Ransomware Groups and Nation State Actors Collaborate

7/10/2024 Link icon

A person wearing a hoodie is sitting in front of multiple computer screens displaying code and data in a dimly lit room.

Executive Summary:

Ransomware attacks have evolved from mere financial nuisances to critical threats that affect every major industry sector. With the rise of ransomware threats, the cyber threat landscape has become especially obscured with a host of new ransomware groups, affiliates, and state sponsored actors. In an environment where attribution is king, the constant rebranding and resurfacing of ransomware groups has made attribution of these threats difficult. Research from Sentinel Labs suggests that this complex attribution environment may be intentional, as ransomware is being used in coordination with state-sponsored espionage activities. By encrypting and holding data hostage, ransomware provides a perfect cover for illicit data exfiltration and intelligence-gathering activities, effectively obfuscating state-sponsored espionage under the guise of a typical cybercriminal operation.

Increasingly, ransomware groups appear to align their targeting with the geopolitical interests of nation-states. Pro-Russian ransomware groups have escalated their attacks on NATO entities, reflecting Russia's strategic goals and political tensions with the West. Similarly, Iranian threat actors have intensified their cyber assaults on Israeli and U.S. organizations, leveraging ransomware to further national objectives amid ongoing regional conflicts. These alignments suggest a deeper collaboration between criminal entities and state actors, where shared infrastructure and toolsets further enumerate the complexities of the cyber threat landscape for space.

Researchers at Sentinel Labs have released findings from two clusters of threat activity between 2021 and 2023. The majority of observed activity involved ransomware and exploitation techniques; however, reporting associates these actions with state-sponsored group ChamelGang. Researchers further suggest that the ransomware payloads in these campaigns were used as a tactic for obfuscation, specifically to cause misattribution of their actions as financially motivated, which could create plausible deniability for claims of espionage.

This technique has been observed multiple times in recent years by other advanced persistent threats (APTs). In 2021, researchers attributed an extended campaign to a threat grouping tacked as BRONZE STARLIGHT, which involved the use of several ransomware strains that were deployed to victim networks following the initial compromise. In 2022, the Sandworm APT group deployed ransomware alongside destructive wiper malware samples, demonstrating the use of tools commonly used by cyber criminals alongside state-sponsored activity. During that same timeframe, wiper malware samples were also deployed against satellite networks in Ukraine, causing outages in the region. Lastly, in 2022, researchers investigated a campaign, initially attributed to the BianLian ransomware group, that was revealed to be an intelligence gathering operation by the state-sponsored Lazarus group.

These are just a few examples of the use of ransomware tactics, techniques and procedures (TTPs) as cover for more sophisticated campaigns focused on espionage and data destruction. More recent examples of this potential alignment include an APT dubbed UNC1549 that has conducted cyber espionage activity targeting aerospace and defense sector organizations in the middle east over the last year. Concurrently, reporting shows a significant increase in ransomware attacks in the Middle East and Africa region, showing a 68% rise in victims over a similar period.

As the international space race intensifies, the incentives for cyber criminals to target space companies with disruptive cyber-attacks, including ransomware, have grown significantly. The space sector's strategic importance, coupled with its increasing reliance on digital infrastructure, also makes it an attractive target for nation-states seeking to disrupt critical services, gather intelligence, or sabotage rival space programs. New findings in the use of ransomware TTPs in these campaigns bring new significance to ransomware activity, as ransomware attacks could be indicative of a more serious threat.

Throughout 2024, Space ISAC has identified approximately 25 space-related organizations that were targeted by ransomware attacks, along with five separate espionage campaigns aimed at global aerospace and space sectors. This data is derived from Space ISAC’s Open-Source Cyber Analysis Report (OSCAR) and analysts emphasize that this figure may be conservative, as many ransomware attacks go unreported. This figure has continued to rise in recent years, perpetuated in some cases by geopolitical conflicts and an overall increased interest in the space sector as a target for opportunistic and strategic threat actors alike.

The growing use of ransomware and its potential alignment with espionage activity underscores the importance of reporting and understanding ransomware attacks of all kinds. Through detailed tracking and analysis of these incidents, the commercial space community can gain deeper insights into the methods and motivations behind these threats, ultimately improving defensive strategies and resilience against future attacks.


Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.

What is Space ISAC?

Space ISAC logoISACs are a special category of non-profit organizations identified by the U.S. government focused on sharing cybersecurity threat information within critical infrastructure industries. ISACs are sector-specific, member-driven organizations that serve to foster information sharing and collaboration between public and private sectors. There are 26 sector-based ISACs (short for Information Sharing and Analysis Center) in industries such as Financial Services and Information Technology.

Space ISAC was conceived by the Science and Technology Partnership Forum in response to increased reports of gaps in information sharing within the cybersecurity and space communities. Officially launched in 2019, Space ISAC’s mission is to enhance the space community’s ability to prepare for and respond to vulnerabilities, incidents, and threats; disseminate timely information, and serve as the primary communications channel for the commercial space sector.

Space ISAC is in the process of standing up its Watch Center to monitor incidents, threats, and vulnerabilities of specific interest to space organizations. In the meantime, Space ISAC is tracking and reporting a variety of cybersecurity events and emerging threats that impact its members. Every two weeks, we will provide a briefing on a specific threat that will be of interest to the broader space community beyond our membership. Our thanks to Constellations for providing this channel for information sharing and communication.

To learn more about Space ISAC, its work and about becoming a member, visit spaceisac.org.

Subscribe to Email

Sign-up to receive email alerts when new webinars, podcasts and articles are available.

Subscribe to the Podcast

Stay up to date with the latest episodes delivered straight to your device!

Listen on Apple Podcasts Listen on Spotify Listen on Audible Subscribe to Podcast RSS

Podcast use is subject to Kratos Terms.