Overview:
While the dialogue around security for the space sector often centers around sophisticated and destructive attacks, recent campaigns highlight a different but equally dangerous vector: the deliberate targeting of IT services and personnel through social engineering. This shift exploits the reality that many critical systems and identities depend on trusted IT help desks, external service providers and the global talent pipeline that supports development and operations.
Two ongoing campaigns illustrate how threat actors capitalize on this vector. The first is Scattered Spider, a financially motivated group that compromises organizations by impersonating employees and manipulating help desk processes. The second is the set of North Korean IT worker schemes, where actors linked to the Democratic People’s Republic of Korea infiltrate the global IT workforce by posing as legitimate remote developers while simultaneously deploying backdoors through the software supply chain.
Although neither campaign shows a deliberate, strategic focus on the space sector, both reveal techniques highly relevant to space organizations because of their heavy dependence on third-party IT services and highly specialized external talent.
Significance to the Space Sector:
Space companies increasingly rely on federated networks of contractors, managed security service providers (MSSPs) and cloud-based identity platforms such as single sign-on (SSO) and virtual desktop infrastructure (VDI). The technical complexity of these environments often outpaces security controls, while operational demands encourage flexibility and speed in hiring and onboarding specialized talent. This combination creates fertile ground for attackers who can bypass hardened perimeters simply by convincing someone in IT to grant access, or by being welcomed into the workforce itself.
The consequences of compromise can cascade quickly: Credentials reset by a manipulated help desk could enable lateral movement into ground control or mission planning systems. Similarly, a compromised developer could introduce malicious code into software supporting satellite command and control or data processing. In the space sector, where even small disruptions can have strategic and commercial impact, these threats demand serious attention.
North Korean IT Worker Threats:
North Korean IT worker campaigns remain active and have recently expanded in scope and scale, as documented by Google’s Threat Intelligence Group and recent IC3 advisories. These actors actively impersonate recruiters, engage in fake technical interviews and convince software developers to install test packages or clone repositories containing malware like BeaverTail and InvisibleFerret. Cisco Talos has recently documented a Python variant of GolangGhost RAT, showing the actors’ continued technical evolution.
In parallel, North Korean IT workers embed themselves as remote contractors within Western companies by submitting forged credentials and stolen identities. Once hired, they can access proprietary source code, deployment systems and internal chat tools, creating opportunities for direct financial gain and potential supply chain attacks. While these campaigns primarily aim to generate hard currency and support weapons development, they create pathways for broader espionage.
For space companies that depend on globally sourced software developers and contractors, these tactics are particularly concerning. Even without a declared strategic focus on space, the methods and objectives align closely with vulnerabilities present in complex space-sector IT ecosystems. These tactics were replicated in the “Dream Job” campaign that targeted the aerospace industry in November 2024.
Scattered Spider:
Scattered Spider, also tracked as Octo Tempest, demonstrates a different but equally effective approach to targeting IT services. The group actively collects employee data from leaks and open sources, then contacts help desks to impersonate legitimate staff and request password resets or multifactor authentication (MFA) resets. Using accurate personal information, they bypass security checks and gain access to cloud identity platforms like Microsoft Entra ID and SSO portals.
Once inside, they deploy ransomware such as ALPHV (BlackCat) and DragonForce, and sometimes use legitimate IT tools to deepen their foothold. Recent reporting shows that these operations are ongoing, and in July 2025, the group extended its targeting to aviation and transportation, including a high-profile attack on Qantas impacting roughly six million customers.
Originally, Scattered Spider targeted customer relationship management providers and IT service firms supporting business operations. Over time, they have broadened their reach to retail, hospitality, financial services and manufacturing. Though the group has not demonstrated a strategic focus on space, their pivot toward aviation and history of compromising IT providers underscores the possibility that high-profile space organizations relying on outsourced IT could be future targets.
The Convergence of Social Engineering and IT Targeting:
These campaigns converge on a single insight: By focusing on IT services and workforce pipelines, attackers can bypass even the most advanced technical defenses. Whether through direct impersonation of help desks or infiltration of the developer workforce, both approaches exploit organizational dependencies on trusted IT personnel and external partners.
For space organizations, the implications are clear. The combination of outsourced IT services, complex supply chains and reliance on highly specialized talent creates multiple opportunities for adversaries. Even when actors do not prioritize space as a strategic target, the shared infrastructure and service providers that connect industries mean that space organizations remain exposed.
Recent reports from leading security firms and government agencies confirm that these campaigns remain active and evolving. As space organizations modernize operations and deepen reliance on external IT and cloud services, defending against social engineering requires more than technical solutions. Strengthening verification processes at help desks, tightening contractor onboarding, monitoring for suspicious software dependencies and reinforcing employee awareness are all critical measures.
