Helping the space industry stay aware of
incidents, threats & vulnerabilities

Briefing 31: Cyber Threats to Operational Technology in Aerospace and Aviation Supply Chains

3/11/2025

Overview:

On 28 February 2025, analysts identified reports that an advanced persistent threat (APT) group tracked as APT41 (aka Winnti) has been conducting a cyber espionage campaign targeting manufacturing companies worldwide. The activity was reported by CheckPoint researchers who observed the group exploit a virtual private network (VPN) vulnerability in Check Point security gateways, allowing them to gain initial access to the networks of dozens of operational technology (OT) organizations. The aerospace and aviation supply chains, which are critical to commercial space infrastructure, were among the key targets of this campaign, according to additional reporting from Dark Reading.

Attack Pattern

APT41’s attacks leveraged a Check Point VPN vulnerability to infiltrate OT networks. Once inside, they utilized the Winnti malware, which incorporates a unique rootkit to conceal communications and employs stolen legitimate digital certificates to bypass security measures. APT41’s tactics were consistent with those observed in past campaigns, focusing on small and mid-sized OT organizations that often lack the cybersecurity resources of larger enterprises.

After establishing access, the attackers moved laterally across networks, escalating their privileges to gain access to domain controllers and other critical systems. A key element of their strategy involved deploying the modular ShadowPad backdoor, a well-known tool in Chinese cyber espionage operations. ShadowPad provided persistent remote access, enabling the exfiltration of sensitive aerospace and aviation manufacturing data.

Threats Targeting OT Organizations

On 20 February 2025, researchers at Trend Micro reported on a campaign that had similar targets and tools used. Researchers noted that ShadowPad was also linked to ransomware deployments in manufacturing and OT environments, with similar targets to those observed by Check Point. Notably, this activity aligns with Check Point’s findings on APT41’s exploitation of VPN vulnerabilities, suggesting a potential convergence between cyber espionage and financially motivated cybercrime. This overlap suggests a strategic pivot among China-sponsored threat clusters, where traditional intelligence-gathering operations are being supplemented by ransomware-based extortion schemes.

While historically, Chinese APT groups have focused on long-term intelligence collection, the introduction of ransomware into their toolkit signifies an evolution in their tactics. ShadowPad, previously used exclusively for espionage, is now being leveraged to deploy the NailaoLocker ransomware, indicating a dual-purpose approach. This method allows attackers to extract sensitive intellectual property while simultaneously disrupting operations through financial extortion, increasing the overall impact on victims.

Significance to the Space Sector:

Operational technology (OT) organizations play a foundational role in the aerospace and aviation supply chains, supporting manufacturing, logistics, and infrastructure operations essential to space systems. Many aerospace companies rely on OT environments to oversee critical manufacturing processes, including the production of satellite components, propulsion systems and avionics. The impact of these attacks to aerospace suppliers demonstrates the growing risk to commercial space operations, as the compromise of these organizations could disrupt supply chains and present a downstream access vector to aerospace organizations.

Conclusion

The cyber campaign led by APT41 underscores the growing intersection of espionage and cybercrime within the OT sector, particularly in industries critical to space exploration and defense. The exploitation of VPN vulnerabilities and deployment of ShadowPad malware reveal a calculated strategy to infiltrate supply chains, steal intellectual property and leverage ransomware for financial gain.

To mitigate these risks, organizations within the aerospace and commercial space industries must prioritize cybersecurity measures, including the timely patching of vulnerabilities, implementing strong access controls and increasing awareness of supply chain risks. As threat actors continue to evolve their tactics, a proactive and coordinated cybersecurity approach will be essential to safeguarding the future of space operations and critical infrastructure.

---

Briefing 30: Ransomware in the Cloud: Threat Actors Turn to Storage Encryption for Extortion

2/12/2025

Overview:

Threat actors are rapidly adapting to the widespread adoption of cloud services, refining their tactics to exploit cloud-based storage, platforms and infrastructure. Ransomware operators in particular are leveraging the inherent characteristics of cloud ecosystems to enhance their encryption and extortion capabilities. The integration of cloud-native features into attack methodologies has introduced new threat vectors that pose significant challenges to traditional security measures.

In January of this year, reports surfaced of a threat actor tracked as “Codefinger” that introduced a novel method for encrypting data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets. The attack leverages server-side encryption with customer-provided keys (SSE-C) to encrypt S3 objects. The threat actor then demands a ransom for the symmetric AES-256 keys required for decryption. Due to the nature of the SSE-C encryption model, recovery of stolen data is made impossible without the attacker-controlled encryption keys.

Attack Pattern:

The incident was first reported by Halcyon on January 13, identifying at least two confirmed victims affected by this attack. The attack sequence begins with the compromise of exposed cloud service API keys, granting initial access to the victim’s account. Once inside, the threat actors leverage valid credentials to access cloud storage, exfiltrate data and subsequently encrypt stored objects using a locally generated AES-256 key. These findings were later corroborated by the AWS Customer Incident Response Team, which reported an increase in unusual encryption activity associated with S3 buckets.

This attack does not exploit vulnerabilities in the cloud provider’s infrastructure but rather abuses legitimate security mechanisms and authorized access. This underscores the increasing risk associated with credential exposure, weak access controls and insufficient monitoring of cloud environments. Notably, cloud credential theft remains a persistent issue, with researchers recently uncovering over 15,000 cloud authentication credentials exposed in publicly accessible Git configuration files, further highlighting the ease with which attackers can obtain access to cloud environments.

These tactics also demonstrate another facet of living-off-the-land techniques, which have become increasingly prevalent in cyber campaigns. By leveraging native security features, threat actors can abuse privacy-oriented features as an effective way to extort victims.

Impact:

Cloud-based storage services have become a prime target for cyber threat groups due to their widespread adoption across critical industries and their role in securing sensitive data. According to CrowdStrike’s 2024 Global Threat Report, cloud intrusions have surged by 75%, highlighting the growing focus of adversaries on cloud environments.

Among these services, object storage solutions play a vital role in sectors such as aerospace, where they are commonly used for satellite imagery processing, sensor data storage, and communication log management. However, the misuse or exploitation of improperly secured cloud data can lead to severe consequences, including intellectual property theft, operational disruptions, and unauthorized data exposure. As adversaries increasingly integrate cloud-based assets into their attack strategies, these risks continue to escalate.

The rise of ransomware in cloud environments illustrates both the evolution of cyber extortion tactics and the growing sophistication of ransomware-as-a-service (RaaS) operations. While traditionally focused on enterprise and on-premises IT infrastructure, ransomware operators are now actively adapting their techniques to exploit cloud-native features. The attack methodology observed in this incident may inspire further adoption among other ransomware groups, broadening the scope of cloud-based extortion schemes.

To mitigate these threats, organizations must implement stringent access controls, continuous monitoring and multi-factor authentication. Additionally, to prevent unauthorized encryption of cloud data, security best practices recommend enforcing short-term credentials, monitoring for anomalous access patterns and restricting the use of certain encryption mechanisms unless explicitly required.

---

Briefing 29: Implications of the Ongoing Salt Typhoon Campaign on Telecommunications and Space

1/15/2025

Executive Summary

Over the past three months, U.S. Government officials have escalated warnings about cyberattacks targeting U.S. telecommunications firms and other U.S. critical infrastructure. These concerns are centered around the ongoing activities of Salt Typhoon (also known as Earth Estries), a China-backed advanced persistent threat (APT) group. Salt Typhoon is attributed to what some Congressional members have called the most significant telecommunications hack in U.S. history, affecting major telecom companies and resulting in the theft of sensitive correspondence data, including metadata and call details.

In addition to these breaches, U.S. officials report that Chinese hackers maintain persistent access to telecom systems supporting multiple critical infrastructure sectors. This access underscores the long-term espionage objectives of Chinese nation-state actors, with implications that extend beyond telecommunications to industries like space, defense, and aerospace.

To date, Salt Typhoon has managed to compromise nine major U.S. telecom companies, breaching their systems and exfiltrating vast amounts of sensitive data. Analysts have revealed that the stolen data includes metadata on where, when, and with whom individuals were communicating, offering adversaries a strategic advantage in intelligence gathering. The breaches have prompted urgent warnings from U.S. officials, who assert that nation state actors have maintained persistent access to telecom systems, enabling continuous surveillance and exploitation.

The pervasive nature of these campaigns stems from the ability of adversaries to exploit technical and operational weaknesses as an entry point into networks. Salt Typhoon actors achieve initial access by exploiting unpatched network devices and through “living-off-the-land” techniques to achieve and sustain long term access to critical systems. These tactics have become critical components of espionage campaigns targeting critical infrastructure sectors. Salt Typhoon’s operations also leverage sophisticated phishing tactics and social engineering ploys to entice users into providing access credentials to networks and devices. Once inside the target network, Salt Typhoon employs command and scripting interpreters to carry out additional malicious activities. The group extensively utilizes built-in tools commonly available in Windows environments, such as PowerShell and WMIC, to employ stealth, evade detection, and maintain persistent access in a compromised network. Similar campaigns, such as Volt Typhoon (2023), have demonstrated a consistent pattern of stealthy, persistent intrusions aimed at U.S. critical infrastructure, underscoring the growing concern towards long-term campaigns designed for persistent access to victim networks.

The scope of the Salt Typhoon campaign continues to expand, as the list of impacted companies grows to include large communication firms and internet service providers. Despite the focus on telecommunications, the potential for cross-sector impacts remains paramount due to concerns of shared infrastructure and supply chain risks. Findings from a similar campaign reported by Trend Micro show that attacks targeting telecommunications companies exploited cloud servers and databases in addition to vendor networks. Investment in 5G and direct-to-device capabilities strengthens the linkage between telecommunication firms and the commercial space industry. This increasing overlap introduces new potential risks for the space industry by opening the door to additional supply chain vulnerabilities in terrestrial infrastructure as a significant attack vector.

Space firms use routers, network devices, and management platforms like those exploited in the Salt Typhoon attacks. Exploitation of unpatched vulnerabilities in these devices could extend to satellite ground stations, command-and-control systems, and other mission-critical infrastructure. Additionally, the interconnected nature of supply chains between the telecom and space sectors means that compromised vendors in one industry can have cascading effects on the other.

Overall, the Salt Typhoon campaign is a stark reminder of the evolving threat landscape and the need for vigilance across all critical infrastructure sectors. For the space industry, the lessons from telecom breaches are clear: Shared vulnerabilities demand shared solutions. Global communications providers should also follow sector-specific guidance, including visibility and hardening practices for communications infrastructure, a joint advisory published by DHS CISA and international partners on December 04, 2024. By adopting proactive security measures and collaborating with industry peers, space firms can strengthen their defenses against sophisticated, state-sponsored cyber adversaries.

---

Briefing 28: Spear-Phishing Campaign Highlights Growing Concern of Intellectual Property Theft Targeting Space Entities

11/27/2024

Executive Summary

In September, the U.S. Department of Justice indicted a Chinese national on charges of wire fraud and identity theft due to their attempts to fraudulently obtain computer software and source code belonging to NASA, in addition to other research entities and private companies. According to the DOJ statement, the individual utilized aggressive spear-phishing and social engineering tactics to conduct the compromise. The attack involved the use of email accounts that impersonated U.S.-based researchers and engineers to obtain restricted software and proprietary source code. The stolen tools were integral to aerospace engineering and computational fluid dynamics, with applications ranging from civilian research to advanced tactical missile development. The individual’s employer, Aviation Industry Corporation of China, is a state-owned aerospace and defense conglomerate, further underscoring the potential alignment of these activities with state interests.

The incident underscores the continued effectiveness of focused spear-phishing tactics to target even the most high-profile organizations. Even in 2024, spear-phishing remains one of the most effective initial access vectors in cyber campaigns. Its success lies in its targeted and deceptive nature, leveraging social engineering to exploit trust. According to the 2024 Verizon Data Breach Investigations Report, phishing attacks accounted for approximately 25% of breaches, with over 50% of those involving credential theft. Metrics from government sources reinforce this assessment. The FBI’s 2023 Internet Crime Report noted that phishing, including spear-phishing, was the most common attack vector, with nearly 300,000 cases reported resulting in $18 million in reported losses in the U.S. alone. Similarly, CISA highlights phishing in its “Top Routinely Exploited Vulnerabilities” advisory, identifying it as a persistent threat to both public and private sectors.

Spear-phishing tactics are often used alongside social engineering to conduct reconnaissance and espionage operations. Historical data shows that threat actors often target space researchers and organizations for espionage purposes, largely tied to technology exchange and theft of intellectual property. In a report released by the Office of the Director of National Intelligence, officials state that foreign intelligence entities, “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.” In the attack against NASA, the targeted software could enhance China’s aerospace and military capabilities, bypassing years of research and development costs. This aligns with broader trends of intellectual property theft driven by government-backed actors, as nation states compete for dominance in space.

This incident is just the latest in a series of cyberattacks targeting NASA, and other entities involved in aerospace research and development. Metrics from a 2024 report published by the US Government Accountability Office state that the space agency has experienced over 6,000 attacks in a four-year span. For example, in 2019, NASA revealed a significant breach where attackers compromised Jet Propulsion Laboratory networks through an unauthorized Raspberry Pi device. The breach raised concerns about supply chain vulnerabilities and endpoint security at the agency. Additional insights from the Space ISAC Watch Center have identified numerous claims of targeting NASA infrastructure in 2024 so far. Most of these attacks are aimed at disrupting NASA public resources or exfiltrating files from NASA databases and selling them on popular leak forums, demonstrating that threat actors of all calibers perceive NASA as a valuable target.

The NASA spear-phishing campaign exemplifies the intersection of state-sponsored espionage, cyber vulnerabilities and technological competition. As NASA and other agencies become increasingly reliant on advanced software for mission-critical operations, they must navigate a persistent threat landscape. By analyzing incidents like this and implementing robust countermeasures, the space industry can better protect its intellectual property and maintain technological confidentiality. The continued focus on spear-phishing highlights the need for a proactive, multi-faceted defense strategy that includes technological, educational, and legal measures. Addressing these challenges will require ongoing collaboration between government entities, private industry and international partners.

---

Briefing 27: Adversaries Develop new Tactics for Breaching Air-Gapped Networks

10/29/2024

Executive Summary:

On October 7, security firm ESET disclosed a cyber campaign targeting air-gapped systems at a European government organization. This campaign, conducted between May 2022 and May 2024, has been attributed to GoldenJackal, an advanced persistent threat (APT) group known for its cyber espionage activity since 2019. GoldenJackal specializes in breaching isolated environments through modular toolsets that use removable media and network-adaptive malware to deliver and execute malicious payloads. The group’s prior breach of a South Asian embassy in 2019 underscores its focus on high-value isolated networks, indicating a sustained interest in circumventing traditional security boundaries.

Analysts assess these findings as a potential warning for critical infrastructure sectors that rely on air-gapped networks for secure operations. GoldenJackal’s activities expose vulnerabilities in non-internet-facing networks, demonstrating how removable drives—a commonly trusted medium for data transfer—can serve as entry points for sophisticated malware. This tactic highlights the evolving risk landscape for air-gapped networks, particularly in critical infrastructure sectors like satellite ground stations, which often rely on such systems to remain insulated from network-borne threats.

Toolset:

GoldenJackal’s toolkit leverages a modular .NET-based framework designed to operate across both internet-connected and isolated environments. Key capabilities include file exfiltration, credential theft and system information gathering. The toolkit adapts based on network connectivity, executing different actions depending on whether an internet connection is detected. For instance, in networked environments, it downloads additional payloads from command and control (C2) servers, which are then transferred to USB drives. When internet access is unavailable, it executes stored malware directly from the drive, allowing propagation within an air-gapped system.

GoldenJackal’s modular design enables it to split tasks across various components focused on collection, processing, distribution and exfiltration, facilitating a stealthy and highly adaptable approach. This adaptability reflects the group’s comprehensive understanding of secure network architectures and underscores their evolution from conventional network-based attacks to a refined approach suitable for penetrating air-gapped networks.

Threat to Critical Infrastructure:

GoldenJackal’s ability to infiltrate air-gapped networks without direct physical access represents a significant advancement in attack methodologies. Traditionally, air-gapped systems are isolated from network-based attacks, with entry points largely limited to authorized removable media. GoldenJackal bypasses this isolation by infecting user-owned drives with malware, allowing it to reach systems previously out of reach for remote actors. This method eliminates the need for physical access or the social engineering tactics typically required to distribute infected media, thus presenting a more scalable threat to isolated networks.

By challenging long-held assumptions about the security of air-gapped networks, GoldenJackal’s tactics underscore the vulnerability of critical infrastructure. Operational environments—such as water and wastewater systems in the U.S.—have previously been targeted using similar tactics to exploit vulnerabilities in programmable logic controllers and industrial control systems. This attack model may readily extend to satellite ground infrastructures, highlighting the broader risks facing critical sectors reliant on isolated systems for data integrity and operational security.

Potential Implications for the Space Sector:

Though there is no direct evidence of GoldenJackal targeting space assets, the group’s approach is highly relevant to the sector. Satellite control and ground infrastructure systems may limit internet connectivity and utilize secure, removable drives to update systems and transfer data in air gapped environments. These characteristics align closely with GoldenJackal’s toolkit and methods, which could be repurposed to breach similar isolated networks.

In the space domain, ground systems are vital for data transmission and satellite control. The compromise of these systems could disrupt operations, jeopardize data integrity and undermine secure communication. GoldenJackal’s adaptable toolkit and ability to leverage removable media as an attack vector highlight a pressing need for security measures that can anticipate and mitigate such advanced threats. As threat actors continue developing techniques to breach even the most secure network environments, it is imperative for organizations to account for these strategies across both networked and isolated systems.

Conclusion:

GoldenJackal’s campaign exemplifies how APTs are adapting their tactics to breach secure air-gapped networks traditionally viewed as impervious to remote cyber threats. By leveraging removable media as a bridge into isolated networks, GoldenJackal’s methodical approach exploits industry-standard practices for system maintenance and data transfer within air-gapped systems.

This campaign emphasizes the need for updated protocols governing removable media use and continued monitoring of advanced threat tactics targeting critical infrastructure. For sectors like space, which rely heavily on isolated networks, GoldenJackal’s toolkit illustrates the need for proactive defenses and an understanding that APTs are adapting traditional attack techniques to circumvent even the most robust network defenses. Ensuring the security of air-gapped systems remains a crucial objective as threat actors advance their capabilities to reach these highly secure environments.

---

Briefing 26: Active Cyber Threats to the Space Supply Chain: Analysis of the TIDRONE Campaign

10/2/2024

Executive Summary:

In September 2024, security firm Trend Micro published a report identifying a threat group named “TIDRONE”, which had conducted a cyber espionage campaign targeting entities in Taiwan’s military and satellite industries. Initial findings from the report revealed that TIDRONE actors are actively targeting both satellite industries and drone manufacturers, suggesting a coordinated effort to infiltrate high-value targets tied to aerospace and defense. Further analysis provided by security firm Acronis, which tracked the campaign under the alias "Operation WordDrone," adds key details regarding the exploitation of Taiwanese enterprise resource planning (ERP) software, indicating the campaign may be associated with a supply chain attack.

These activities are assessed as part of a wider trend of cyber espionage aimed at stealing sensitive information within the global military technology sector, including satellite and drone technology. Notably, several elements within this campaign highlight the escalating threat environment for the space industry, particularly the surge in drone production, its considerable overlap with space technology, and the significance of Taiwan as a hub for aerospace and military production.

Attack Pattern:

TIDRONE actors utilized enterprise resource planning (ERP) and remote desktop tools to deploy sophisticated malware toolsets identified as CXCLNT and CLNTEND.

These sophisticated malware families are specifically used to exploit system vulnerabilities and steal sensitive data. The CXCLNT strain is deployed for a range of purposes, most notably the uploading and downloading of files, and the collection of victim information, such as file listings and computer names. The CLNTEND malware is a remote access tool (RAT) that was first identified in attacks conducted in April 2024, and this RAT supports a wide range of network communication protocols.

This versatility allows attackers to adapt to different environments and ensures continuous data exfiltration, even in highly secured networks. Both malware variants play a pivotal role in stealing sensitive data, including intellectual property, and enable extensive system exploitation through lateral movement across compromised networks.

The group’s attack pattern involved a technique known as DLL side-loading, in which attackers manipulate the loading of dynamic link libraries (DLL) by hijacking a program’s library calls. In this instance, TIDRONE actors exploited an outdated version of Microsoft Word to load and execute malicious files. The attackers used a modified version of a legitimate DLL to act as a loader, which ran shellcode to decrypt and execute the CXCLNT and CLNTEND payloads. Researchers noted that the loader included additional features for persistence and defense evasion. Additional reporting shows that attackers used a tool called “EDRSIlencer” to avoid endpoint detection and firewall protections.

Supply Chain Attack:

Reports suggest this campaign may have been a supply chain attack, as it involved repeated targeting of the same ERP systems and remote access tools across multiple victim environments. Specifically, the attackers leveraged Virtual Network Computing (VNC) technology, particularly UltraVNC—a program that allows remote control of servers and clients—to launch malicious executables using side-loading techniques. Additional reporting from Acronis revealed that Taiwanese ERP software Digiwin was deployed in victim environments during the Operation WordDrone campaign. Researchers indicate that this platform may have been exploited as an initial access vector, due to vulnerabilities known to exist in the software’s components.

Significance to Space:

The space industry shares critical technological parallels with other sectors targeted by TIDRONE, particularly drone manufacturing. The use of remote access tools like UltraVNC in both industries is a notable overlap. As space companies often rely on remote systems to manage satellite ground stations and sensitive communication networks, the same techniques used to exploit these tools in other industries could be leveraged against space operations.

In the context of supply chain risks, the close relationship between space and drone manufacturers, particularly in regions like Taiwan, creates additional vulnerabilities. Taiwan’s role as a U.S. ally and a leader in technological innovation makes it a focal point for espionage campaigns, and any compromise in drone manufacturing could cascade into the space industry. Given the high value of intellectual property and operational data in space systems, successful infiltration by actors like TIDRONE could lead to far-reaching consequences for national security and commercial space operations alike.

Sector Targeting:

The TIDRONE campaign’s focus on ERP and remote access technologies aligns with similar methodologies seen in attacks on the space sector. Both sectors utilize these systems to maintain operational continuity, and their exploitation could disrupt essential services or enable widespread data theft. By targeting interconnected sectors like drone and aerospace manufacturing, TIDRONE actors seek to exploit supply chain weaknesses, increasing the potential for lateral movement into critical space infrastructures. The trend toward using VNC technologies across industries underscores the need for heightened cybersecurity awareness in the space industry.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.