The year 2023 has been marked by significant cyber turbulence in the space sector. The aftermath of the 2023 KA-SAT attack has fundamentally altered the world’s collective perception of cyber risk and the corresponding implications for space. In addition, 2023 has heralded a surge in the scope and scale of cyber targeting, a bevy of emerging trends and the introduction of new threat actors operating within the space industry. Without question, from 2022 to 2023, the frequency of cyber campaigns targeting the space industry has escalated.
Adversaries View Commercial Space as a Target - Adversary nations have expressed their intent to target commercial space systems whose mission classes fall under that of Earth observation, communication, and intelligence, surveillance and reconnaissance (ISR). This is largely due to the exponential increase in LEO satellites and their presumed military applications. Harkening back to late 2022, U.S. adversaries have made provocative statements regarding the “legitimate targeting” of satellites for wartime operations. As the space domain expands to cislunar and beyond, international competition and space superiority continue to be driving factors for potential counterspace capabilities. US intelligence agencies have released multiple advisories in 2023 detailing the increasing number of cyberattacks targeting U.S.-based space companies and espionage threats perpetuated by Foreign Intelligence Entities (FIEs).[1]
Space Sector Targeting - There were multiple sophisticated campaigns observed targeting the space sector through a multitude of attack vectors in 2023. Peach Sandstorm, a sophisticated threat actor, was identified targeting several satellite companies through orchestrated password attacks tracked as early as February 2023. These attacks were designed to compromise and exploit legitimate accounts as part of a broader espionage campaign. In August, another campaign targeting space organizations was uncovered by researchers at Recorded Future, in which a threat actor tracked as RedHotel targeted organizations in 17 countries, spanning multiple sectors. Advanced Persistent Threats (APTs) groups such as these are known to use custom-built malware toolsets to infiltrate organizations, maintain persistence and move laterally throughout network environments. Powerdrop, a malicious PowerShell script, is just one of several malware strains used against the US aerospace industry and Department of Defense sectors. In addition to IT-based attacks, threat actors attempted to exploit satellite networks via targeting of GNSS receivers, satellite terminals and other ground-based devices related to satellite communication.
Supply Chain Compromises - Many of the successful attacks on space systems are considered supply chain attacks, meaning that the entry point for threat actors is through subsidiaries, third-party vendors, downstream suppliers and software supply chains. While they are not new by any means, the frequency and scope of supply chain attacks have increased significantly, primarily attributable to the abundance of vulnerabilities in software and external, internet-facing services that can be easily exploited by cyber threat actors. MOVEit, ManageEngine, PaperCut, GoAnywhere and 3CX are all examples of widely used software libraries that were exploited in malicious cyber campaigns in 2023. Observed cyber activity has also extended to virtualized environments, as was the case with campaigns targeting VMware ESXi servers, Sophos Firewalls and FortiOS VPNs. As manufacturers, suppliers and software continue to be the target of cyber-attacks, the supply chain remains a critical risk factor for every entity involved in the space development life cycle.
Nation-States, Ransomware Gangs and Hacktivists - Nation-state actors have adopted “living off the land” techniques, which entail the extensive use of network administration tools, such as PowerShell and Windows Management Instrumentation (WMI) that are embedded within victim networks. This technique bolsters the ability for threat actors to lurk in networks and maintain an undetected presence for extended durations. This type of activity was seen most notably by a group tracked as VoltTyhpoon, that used living off the land tactics to target US critical infrastructure, and most recently by the state-sponsored actor tracked as BlackTech to compromise firmware in networking equipment. Nation-state actors are among the most dangerous and persistent threats to the space sector.
Ransomware groups have evolved to be more pervasive and disruptive to organizations, prioritizing extortion methodologies over encryption-based tactics. This shift has led to an increase in “double extortion” attacks, where threat actors threaten to leak sensitive information while also holding data hostage via encryption methods. Ransomware gangs continue to employ as-a-service offerings and affiliate programs to bolster the use of malware toolkits, offer up access to compromised accounts and sell credential dumps. This activity has resulted in a sharp uptick in posts mentioning space sector organizations on ransomware leak sites.
Hacktivist organizations have become more collaborative in their goals to disrupt the operations of commercial space companies. Groups like Killnet, alongside other pro-Russian hacker groups, Anonymous Russia, Anonymous Sudan, SeigedSec, UserSec and Killmilk, have all targeted space systems and organizations alike through a series of denial-of-service (DDOS) attacks, defacing websites and by leaking sensitive information. The results of these efforts have had a deleterious impact on victims, and often their sensitive and proprietary data have been made available on leak sites, on forums, such as Telegram, and on dark web marketplaces. Killnet initially surfaced in 2022, claiming attacks on Starlink and various US government websites. Throughout 2023, these collectives have collaborated to target the commercial space industry and have curated strong followings on forums throughout the cyber underground.
Satellite Hacking - There were two notable capture the flag competitions this year that featured the use of satellite technology, helping to enumerate what may be on the horizon in terms of cyberattacks to on-orbit assets. During the CYSAT conference in Paris, researchers from ESA set up a test bed to offer participants a chance to hack into a nanosatellite. A team from Thales successfully hacked into the simulated satellite network, taking advantage of onboard vulnerabilities and connections within the satellite bus. Among many valuable insights, this exercise demonstrated the importance of onboard intrusion detection capabilities and bus/network segmentation.
During the Hack-A-Sat 4 competition, participating teams were tasked with hacking an on-orbit satellite, the first time an active space asset was featured in the annual contest. The Moonlighter 3U cubesat was the featured target, deployed in low earth orbit and outfitted with multiple radios to send telemetry and receive commands. Hack A SAT 4 was a huge step towards evaluating the risk of on-orbit assets and was an evolution from past virtual environments and ground-based test beds. The results from satellite hacking competitions bolster the collective understanding of how on-orbit assets can be hacked and how these risks can be addressed to prevent future attacks.
Resources for Better Defense - The Space ISAC Watch Center was built to keep abreast of increasing threat activity to space systems, and to monitor, analyze and report threat information to the commercial space industry. Our analysts provide regular updates to Space ISAC membership and coordinate with government partners to ascertain a comprehensive picture of the space attack surface.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.kratosdefense.com/constellations/articles/space-isac-year-in-review-top-threats-to-the-space-sector
Comments