On March 30, the Space ISAC announced the opening of its Watch Center, with the mission of monitoring for threats to ground and space, creating a comprehensive view of the space attack surface.

Analysts in the Watch Center will monitor for threats, track adversary activity, correlate anomalies and produce reports for the space industry, from cyber threats to IT and OT networks to intentional interference and on-orbit activities.

The official launch of the Watch Center represents a monumental milestone and increase in capabilities for the Space ISAC. Initial Operating Capability will bring forth new tools, data sets and visualizations to inform analysts of radio frequency electromagnetic interference (RF EMI), anomalous satellite maneuvers, nation state actors and cyber threat intelligence.

Ransomware attacks have plagued every major sector and represent the largest trend in cybercrime over the last five years. Among the myriad of ransomware gangs, LockBit is one of the most active, contributing to a 45% increase in reported ransomware attacks from January to February of 2023, according to researchers at the NCC Group.

In March 2023, analysts identified multiple aerospace companies that appeared on the LockBit 3.0 leak site, featuring manufacturers and distributors in the space supply chain. The ransomware group targeted Maximum Industries, a manufacturer that specializes in waterjet and laser cutting for the aerospace industry. LockBit claimed to have breached their systems and stolen “about 3,000 drawings certified by SpaceX engineers.” This recent threat demonstrates an intent to target supply chains at large corporations, supporting data from 2022 that estimated LockBit malware was used in 33% of ransomware attacks on industrial organizations.

The LockBit group first emerged at the end of 2019, initially calling itself the “ABCD ransomware.” In just over three years, it has evolved into the most active and menacing ransomware threat group in the world. LockBit ransomware has been implicated in more cyberattacks this year than any other ransomware, making it the most widely used malware in the wild. LockBit 3.0, also known as “LockBit Black,” is the most recent version of this malware and is intentionally modular and evasive.

A contributing factor to LockBit’s success as a ransomware organization is their business model, implementing Ransomware-as-a-Service (RaaS) offerings as collaborative opportunities for other adversaries looking to gain access to specific industries. RaaS is a business model that relies on both ransomware operators and affiliates to launch attacks developed by operators as is most akin to Software-as-a-Service (SaaS).

LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, affiliate-led development efforts and zero-day exploits. “Second-stage” LockBit establishes control of a victim's system, collects network information and achieves primary goals, such as stealing and encrypting data. When used as a Ransomware-as-a-Service, an initial access broker (IAB) deploys first-stage malware or otherwise gains access within a target organization’s infrastructure. The IAB then sells that access to the primary LockBit operator for second-stage exploitation.

Due to sophisticated efforts supporting malware development and resource collection, LockBit can use various infection techniques and maintain persistent access to the victim’s systems. Once the victim’s data is encrypted, file extensions are altered to a custom extension and the victim is greeted by an altered user desktop, as well as a .txt file containing a ransom note.

LockBit has typically focused attacks on government entities and enterprises in a variety of sectors, such as healthcare, financial services, and industrial goods and services. The ransomware has been observed targeting countries globally, including the U.S., China, India, Indonesia, Ukraine, France, the UK and Germany.

Overall, the LockBit ransomware group is a formidable and sophisticated cybercrime organization that poses a significant threat to organizations around the world and has shown a recent pattern of targeting aerospace companies, both directly and indirectly through supply chain exploitation.

Read more from Space ISAC.