Executive Summary

As organizations continue to migrate services to cloud-based solutions, trend analysis shows that cyber threat actors are making corresponding adjustments to this transition. According to officials from the Cybersecurity and Infrastructure Security Agency (CISA), advanced persistent threat (APT) actors are adapting their tactics, techniques and procedures (TTPs) to focus on initial access and disruption of cloud services. The advisory denotes observations from APT29 (aka Midnight Blizzard), which is assessed as a prominent threat actor within the cyber threat ecosystem and is primarily known for its broad scope of cyber espionage activity. According to a CISA assessment, APT29 is actively modernizing systems as government and commercial entities migrate resources to the cloud.

The findings from this report underscore a broader trend and one that has particular significance to the commercial space sector. Threat actors are shifting their targeting schemas from on-premise solutions to cloud services. This Threat Briefing is intended to assess the shift by threat actors to infiltrate cloud services and the correlation to the continued digitization of space ground architectures.

The Shift to Cloud Targeting

Analysis of past attack patterns shows that cyber threat actors such as APT29 have targeted on-premise, physical network environments in multiple cyber campaigns. Recent reporting reveals, however, that threat actors are increasingly targeting a wide range of cloud services for initial access and malware distribution. According to CISA and international partners, much of this shift is attributed to the continued modernization of industry. This transition to cloud-based infrastructure significantly alters the attack surface by requiring authentication to the cloud provider, subsequently driving changes in threat actor TTPs.

Some of the evolving tactics involve using brute force attacks and password spraying to gain access to service accounts, utilization of cloud-based token authentication and enrollment of new devices to gain unauthorized access. This observed activity underscores the increased use of valid accounts for initial access in threat actor campaigns. According to IBM X-Force’s Threat Intelligence Index, valid account compromises accounted for nearly one-third of cyberattacks in 2023. Additionally, the report states that 90% of the cloud assets made available for sale on the dark web were valid account credentials. These trends coincide with an increased number of intrusions on cloud environments, which was up 75% in 2023, according to CrowdStrike’s 2024 Global Threat Report. Officials warn that this continued trend warrants an adjusted approach to cybersecurity, with a significant focus on defending and mitigating threats in cloud environments.

Implications for the Commercial Space Industry

The push for cloud-based infrastructure is increasingly relevant for the commercial space industry, particularly as it pertains to ground-based assets and the ground station-as-a-service (GSaaS) model. While adapting to hybrid solutions for ground station architecture is a logical and beneficial evolution for the industry, it is important to identify the inherent risks that come with it so that proactive defense measures can be implemented.

First, introducing internet-facing systems to ground architecture broadens the cyberattack surface significantly, opening a host of new endpoints and making it difficult to air-gap systems. As stated in the conference paper titled Ground Station as a Service: A Space Cybersecurity Analysis, “By introducing a familiar corporate IT environment by interfacing cloud services with ground stations, GSaaS increases the susceptibility of the ground station to techniques, tactics and procedures that organized crime groups are already highly proficient in.”

Second, the increased accessibility to GSaaS offerings via services like Azure Orbital and AWS Ground Station allows for reconnaissance activities from potentially malicious actors via increased visibility. “With access to cloud environments being affordable for small organizations and individuals, their inclusion in GSaaS equips even unsophisticated threat actors with the option of buying access to a ground station themselves and probing for vulnerabilities from the inside,” the paper states. These risks are furthered by the increased targeting of cloud-related assets by threat actors in recent years.

In general, transitioning components of the space architecture to cloud-based services introduces the risks of internet-facing IT environments, which inevitably exposes GSaaS providers to a host of threats that may not be factored into air-gapped physical architecture. This observation is underscored by the increasing adaptation of direct-to-device services, allowing users to interact with satellites from mobile platforms and representing a significant increase in attack surface. As the satellite services market becomes more competitive and accessible, it is important to consider the myriad of cyber threats, particularly those that are targeting cloud services. The growing digitization of space architectures creates a corresponding range of vulnerabilities to many of the most commonly observed TTPs, including the use of valid accounts, brute force techniques and internet-facing applications and services.

Defense and Mitigation

To address these vulnerabilities, the National Security Agency (NSA) released a list of ten cloud mitigation strategies, providing organizations a guide to harden security in cloud environments. The best practices include using secure cloud identity and access management, implementing network segmentation and encryption in cloud environments and managing cloud logs for effective threat hunting. NSA officials reiterate that while the cloud can enhance IT efficiency and security, the aggregation of critical data also renders cloud services an appealing target for adversaries. This sentiment is especially germane to the commercial space industry. As more service providers transition to the cloud, it underscores the need for proactive and innovative approaches to defense in securing cloud environments.