Helping the space industry stay aware of
incidents, threats & vulnerabilities

Briefing 32: Threat Actor Targets Satellite Communications with Novel Polyglot Malware

4/8/2025

Overview:

On 4 March 2025, cybersecurity company Proofpoint disclosed a sophisticated email-based cyber campaign that employed a rare and advanced malware delivery technique known as a “polyglot.” Based on victimology, researchers assessed that the campaign primarily targeted aviation, satellite communications and critical transportation organizations within the United Arab Emirates (UAE). Proofpoint attributed these attacks to a newly identified threat actor tracked as “UNK_CraftyCamel.”

The campaign is characterized by the employment of a sophisticated infection chain that deployed a newly discovered Golang backdoor dubbed Sosano—a malicious implant designed for long-term access and data exfiltration in high-value targets. Analysts note the prevalence of sophisticated phishing lures as an increasingly effective technique used to compromise space companies. This campaign reflects how cyber espionage continues to drive targeted activity against the space sector, with threat actors increasingly exploiting trusted relationships and deploying advanced, evasive malware to achieve strategic objectives.

Campaign Details:

Conducted in late 2024, the campaign leveraged compromised email accounts of INDIC Electronics, an Indian electronics firm reportedly in business contact with the victims. Each phishing message was customized to the recipient and contained a lure document aligned with the target’s business operations—enhancing legitimacy and likelihood of interaction. Analysis of the targeting patterns reveals a clear focus on aviation, satellite communication and regional critical infrastructure in the UAE.

Attack Pattern:

UNK_CraftyCamel actors used these compromised accounts of to send spear phishing emails containing links to spoofed domains that mimicked the business partner’s website. This link redirected users to a compressed ZIP archive containing an LNK file disguised as an XLS and two polyglot PDF files. Polyglots are specialized files that can be interpreted as multiple formats, depending on how they are parsed.

When the LNK file was executed, it launched a built-in Windows utility called mshta.exe, which then executed a script embedded in an HTML Application (HTA). This script ran a malicious file named Hyper-Info.exe, which in turn decoded a seemingly innocuous image file (JPG) encrypted with XOR encryption—a basic but effective technique for obfuscation. The result was the deployment of the Sosano backdoor, which enables remote access and command execution on compromised systems. Analysts also identified embedded XOR keys, suggesting plans for future evolutions or anti-analysis features.

Significance to the Space Sector:

This campaign demonstrates a pressing threat to space-sector organizations: the exploitation of trusted supply chain relationships. In an interconnected business environment, even indirect partners can become unwitting vectors for compromise. Cyber intrusions via compromised third parties, especially those with legitimate communication channels, pose serious detection and containment challenges.

The targeting of aviation and satellite communications strongly suggests an espionage-driven motive, likely aimed at acquiring sensitive operational or strategic intelligence. This aligns with a broader trend in which space-adjacent industries such as aerospace, ground station operations and satellite data services are increasingly viewed as valuable targets by state-linked threat actors.

Furthermore, the technical sophistication of the Sosano delivery chain, particularly the use of polyglot files, underscores a growing adversary capability to evade traditional security tools. Polyglot payloads are rare but effective, designed to confuse file type detection and slip past security filters—making them particularly dangerous in environments that rely heavily on email for document sharing and coordination.

Given that satellite communication supports aviation safety, maritime operations, emergency response and military activities, a successful intrusion could yield intelligence with strategic value—or worse, enable disruption of mission-critical services. As geopolitical competition intensifies, especially in the Middle East, cyber campaigns like this one may become more frequent and more targeted.

Conclusion:

The UNK_CraftyCamel highlights several important trends that impact the space threat environment. Firstly, threat actors are enhancing the sophistication of low-level attacks such as phishing. By exploiting business partners and using obfuscated payloads, this activity demonstrates how email-based threats remain at the forefront of cyber-attacks. Second, the use of polyglot payloads highlights a potential new tactic for espionage-motivated actors. Polyglot files, while seldom seen in the wild, present a powerful tool for malware delivery and detection avoidance, underscoring the need for strong email security.

Lastly, organizations involved in space operations, particularly those with dual roles in aviation or satellite communications, remain attractive targets for cyber espionage. Researchers note the operational overlap between UNK_CraftyCamel and other aligned campaigns that have historically targeted aerospace-aligned organizations. Reported campaigns over the past couple of years highlight this observation, showing that while space may not be subject to the same number of financially motivated attacks, cyber espionage is a legitimate motivating factor impacting the operational security of the sector.

Finally, this campaign reinforces the fact that operational security in the space sector depends not just on your own defenses, but on the cyber hygiene of your partners. The low volume, tailored lures and stealthy payloads point to a deliberate, high-value campaign—one that reflects the increasing professionalization of space-targeted cyber threats.

---

Briefing 31: Cyber Threats to Operational Technology in Aerospace and Aviation Supply Chains

3/11/2025

Overview:

On 28 February 2025, analysts identified reports that an advanced persistent threat (APT) group tracked as APT41 (aka Winnti) has been conducting a cyber espionage campaign targeting manufacturing companies worldwide. The activity was reported by CheckPoint researchers who observed the group exploit a virtual private network (VPN) vulnerability in Check Point security gateways, allowing them to gain initial access to the networks of dozens of operational technology (OT) organizations. The aerospace and aviation supply chains, which are critical to commercial space infrastructure, were among the key targets of this campaign, according to additional reporting from Dark Reading.

Attack Pattern

APT41’s attacks leveraged a Check Point VPN vulnerability to infiltrate OT networks. Once inside, they utilized the Winnti malware, which incorporates a unique rootkit to conceal communications and employs stolen legitimate digital certificates to bypass security measures. APT41’s tactics were consistent with those observed in past campaigns, focusing on small and mid-sized OT organizations that often lack the cybersecurity resources of larger enterprises.

After establishing access, the attackers moved laterally across networks, escalating their privileges to gain access to domain controllers and other critical systems. A key element of their strategy involved deploying the modular ShadowPad backdoor, a well-known tool in Chinese cyber espionage operations. ShadowPad provided persistent remote access, enabling the exfiltration of sensitive aerospace and aviation manufacturing data.

Threats Targeting OT Organizations

On 20 February 2025, researchers at Trend Micro reported on a campaign that had similar targets and tools used. Researchers noted that ShadowPad was also linked to ransomware deployments in manufacturing and OT environments, with similar targets to those observed by Check Point. Notably, this activity aligns with Check Point’s findings on APT41’s exploitation of VPN vulnerabilities, suggesting a potential convergence between cyber espionage and financially motivated cybercrime. This overlap suggests a strategic pivot among China-sponsored threat clusters, where traditional intelligence-gathering operations are being supplemented by ransomware-based extortion schemes.

While historically, Chinese APT groups have focused on long-term intelligence collection, the introduction of ransomware into their toolkit signifies an evolution in their tactics. ShadowPad, previously used exclusively for espionage, is now being leveraged to deploy the NailaoLocker ransomware, indicating a dual-purpose approach. This method allows attackers to extract sensitive intellectual property while simultaneously disrupting operations through financial extortion, increasing the overall impact on victims.

Significance to the Space Sector:

Operational technology (OT) organizations play a foundational role in the aerospace and aviation supply chains, supporting manufacturing, logistics, and infrastructure operations essential to space systems. Many aerospace companies rely on OT environments to oversee critical manufacturing processes, including the production of satellite components, propulsion systems and avionics. The impact of these attacks to aerospace suppliers demonstrates the growing risk to commercial space operations, as the compromise of these organizations could disrupt supply chains and present a downstream access vector to aerospace organizations.

Conclusion

The cyber campaign led by APT41 underscores the growing intersection of espionage and cybercrime within the OT sector, particularly in industries critical to space exploration and defense. The exploitation of VPN vulnerabilities and deployment of ShadowPad malware reveal a calculated strategy to infiltrate supply chains, steal intellectual property and leverage ransomware for financial gain.

To mitigate these risks, organizations within the aerospace and commercial space industries must prioritize cybersecurity measures, including the timely patching of vulnerabilities, implementing strong access controls and increasing awareness of supply chain risks. As threat actors continue to evolve their tactics, a proactive and coordinated cybersecurity approach will be essential to safeguarding the future of space operations and critical infrastructure.

---

Briefing 30: Ransomware in the Cloud: Threat Actors Turn to Storage Encryption for Extortion

2/12/2025

Overview:

Threat actors are rapidly adapting to the widespread adoption of cloud services, refining their tactics to exploit cloud-based storage, platforms and infrastructure. Ransomware operators in particular are leveraging the inherent characteristics of cloud ecosystems to enhance their encryption and extortion capabilities. The integration of cloud-native features into attack methodologies has introduced new threat vectors that pose significant challenges to traditional security measures.

In January of this year, reports surfaced of a threat actor tracked as “Codefinger” that introduced a novel method for encrypting data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets. The attack leverages server-side encryption with customer-provided keys (SSE-C) to encrypt S3 objects. The threat actor then demands a ransom for the symmetric AES-256 keys required for decryption. Due to the nature of the SSE-C encryption model, recovery of stolen data is made impossible without the attacker-controlled encryption keys.

Attack Pattern:

The incident was first reported by Halcyon on January 13, identifying at least two confirmed victims affected by this attack. The attack sequence begins with the compromise of exposed cloud service API keys, granting initial access to the victim’s account. Once inside, the threat actors leverage valid credentials to access cloud storage, exfiltrate data and subsequently encrypt stored objects using a locally generated AES-256 key. These findings were later corroborated by the AWS Customer Incident Response Team, which reported an increase in unusual encryption activity associated with S3 buckets.

This attack does not exploit vulnerabilities in the cloud provider’s infrastructure but rather abuses legitimate security mechanisms and authorized access. This underscores the increasing risk associated with credential exposure, weak access controls and insufficient monitoring of cloud environments. Notably, cloud credential theft remains a persistent issue, with researchers recently uncovering over 15,000 cloud authentication credentials exposed in publicly accessible Git configuration files, further highlighting the ease with which attackers can obtain access to cloud environments.

These tactics also demonstrate another facet of living-off-the-land techniques, which have become increasingly prevalent in cyber campaigns. By leveraging native security features, threat actors can abuse privacy-oriented features as an effective way to extort victims.

Impact:

Cloud-based storage services have become a prime target for cyber threat groups due to their widespread adoption across critical industries and their role in securing sensitive data. According to CrowdStrike’s 2024 Global Threat Report, cloud intrusions have surged by 75%, highlighting the growing focus of adversaries on cloud environments.

Among these services, object storage solutions play a vital role in sectors such as aerospace, where they are commonly used for satellite imagery processing, sensor data storage, and communication log management. However, the misuse or exploitation of improperly secured cloud data can lead to severe consequences, including intellectual property theft, operational disruptions, and unauthorized data exposure. As adversaries increasingly integrate cloud-based assets into their attack strategies, these risks continue to escalate.

The rise of ransomware in cloud environments illustrates both the evolution of cyber extortion tactics and the growing sophistication of ransomware-as-a-service (RaaS) operations. While traditionally focused on enterprise and on-premises IT infrastructure, ransomware operators are now actively adapting their techniques to exploit cloud-native features. The attack methodology observed in this incident may inspire further adoption among other ransomware groups, broadening the scope of cloud-based extortion schemes.

To mitigate these threats, organizations must implement stringent access controls, continuous monitoring and multi-factor authentication. Additionally, to prevent unauthorized encryption of cloud data, security best practices recommend enforcing short-term credentials, monitoring for anomalous access patterns and restricting the use of certain encryption mechanisms unless explicitly required.

---

Briefing 29: Implications of the Ongoing Salt Typhoon Campaign on Telecommunications and Space

1/15/2025

Executive Summary

Over the past three months, U.S. Government officials have escalated warnings about cyberattacks targeting U.S. telecommunications firms and other U.S. critical infrastructure. These concerns are centered around the ongoing activities of Salt Typhoon (also known as Earth Estries), a China-backed advanced persistent threat (APT) group. Salt Typhoon is attributed to what some Congressional members have called the most significant telecommunications hack in U.S. history, affecting major telecom companies and resulting in the theft of sensitive correspondence data, including metadata and call details.

In addition to these breaches, U.S. officials report that Chinese hackers maintain persistent access to telecom systems supporting multiple critical infrastructure sectors. This access underscores the long-term espionage objectives of Chinese nation-state actors, with implications that extend beyond telecommunications to industries like space, defense, and aerospace.

To date, Salt Typhoon has managed to compromise nine major U.S. telecom companies, breaching their systems and exfiltrating vast amounts of sensitive data. Analysts have revealed that the stolen data includes metadata on where, when, and with whom individuals were communicating, offering adversaries a strategic advantage in intelligence gathering. The breaches have prompted urgent warnings from U.S. officials, who assert that nation state actors have maintained persistent access to telecom systems, enabling continuous surveillance and exploitation.

The pervasive nature of these campaigns stems from the ability of adversaries to exploit technical and operational weaknesses as an entry point into networks. Salt Typhoon actors achieve initial access by exploiting unpatched network devices and through “living-off-the-land” techniques to achieve and sustain long term access to critical systems. These tactics have become critical components of espionage campaigns targeting critical infrastructure sectors. Salt Typhoon’s operations also leverage sophisticated phishing tactics and social engineering ploys to entice users into providing access credentials to networks and devices. Once inside the target network, Salt Typhoon employs command and scripting interpreters to carry out additional malicious activities. The group extensively utilizes built-in tools commonly available in Windows environments, such as PowerShell and WMIC, to employ stealth, evade detection, and maintain persistent access in a compromised network. Similar campaigns, such as Volt Typhoon (2023), have demonstrated a consistent pattern of stealthy, persistent intrusions aimed at U.S. critical infrastructure, underscoring the growing concern towards long-term campaigns designed for persistent access to victim networks.

The scope of the Salt Typhoon campaign continues to expand, as the list of impacted companies grows to include large communication firms and internet service providers. Despite the focus on telecommunications, the potential for cross-sector impacts remains paramount due to concerns of shared infrastructure and supply chain risks. Findings from a similar campaign reported by Trend Micro show that attacks targeting telecommunications companies exploited cloud servers and databases in addition to vendor networks. Investment in 5G and direct-to-device capabilities strengthens the linkage between telecommunication firms and the commercial space industry. This increasing overlap introduces new potential risks for the space industry by opening the door to additional supply chain vulnerabilities in terrestrial infrastructure as a significant attack vector.

Space firms use routers, network devices, and management platforms like those exploited in the Salt Typhoon attacks. Exploitation of unpatched vulnerabilities in these devices could extend to satellite ground stations, command-and-control systems, and other mission-critical infrastructure. Additionally, the interconnected nature of supply chains between the telecom and space sectors means that compromised vendors in one industry can have cascading effects on the other.

Overall, the Salt Typhoon campaign is a stark reminder of the evolving threat landscape and the need for vigilance across all critical infrastructure sectors. For the space industry, the lessons from telecom breaches are clear: Shared vulnerabilities demand shared solutions. Global communications providers should also follow sector-specific guidance, including visibility and hardening practices for communications infrastructure, a joint advisory published by DHS CISA and international partners on December 04, 2024. By adopting proactive security measures and collaborating with industry peers, space firms can strengthen their defenses against sophisticated, state-sponsored cyber adversaries.

---

Briefing 28: Spear-Phishing Campaign Highlights Growing Concern of Intellectual Property Theft Targeting Space Entities

11/27/2024

Executive Summary

In September, the U.S. Department of Justice indicted a Chinese national on charges of wire fraud and identity theft due to their attempts to fraudulently obtain computer software and source code belonging to NASA, in addition to other research entities and private companies. According to the DOJ statement, the individual utilized aggressive spear-phishing and social engineering tactics to conduct the compromise. The attack involved the use of email accounts that impersonated U.S.-based researchers and engineers to obtain restricted software and proprietary source code. The stolen tools were integral to aerospace engineering and computational fluid dynamics, with applications ranging from civilian research to advanced tactical missile development. The individual’s employer, Aviation Industry Corporation of China, is a state-owned aerospace and defense conglomerate, further underscoring the potential alignment of these activities with state interests.

The incident underscores the continued effectiveness of focused spear-phishing tactics to target even the most high-profile organizations. Even in 2024, spear-phishing remains one of the most effective initial access vectors in cyber campaigns. Its success lies in its targeted and deceptive nature, leveraging social engineering to exploit trust. According to the 2024 Verizon Data Breach Investigations Report, phishing attacks accounted for approximately 25% of breaches, with over 50% of those involving credential theft. Metrics from government sources reinforce this assessment. The FBI’s 2023 Internet Crime Report noted that phishing, including spear-phishing, was the most common attack vector, with nearly 300,000 cases reported resulting in $18 million in reported losses in the U.S. alone. Similarly, CISA highlights phishing in its “Top Routinely Exploited Vulnerabilities” advisory, identifying it as a persistent threat to both public and private sectors.

Spear-phishing tactics are often used alongside social engineering to conduct reconnaissance and espionage operations. Historical data shows that threat actors often target space researchers and organizations for espionage purposes, largely tied to technology exchange and theft of intellectual property. In a report released by the Office of the Director of National Intelligence, officials state that foreign intelligence entities, “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.” In the attack against NASA, the targeted software could enhance China’s aerospace and military capabilities, bypassing years of research and development costs. This aligns with broader trends of intellectual property theft driven by government-backed actors, as nation states compete for dominance in space.

This incident is just the latest in a series of cyberattacks targeting NASA, and other entities involved in aerospace research and development. Metrics from a 2024 report published by the US Government Accountability Office state that the space agency has experienced over 6,000 attacks in a four-year span. For example, in 2019, NASA revealed a significant breach where attackers compromised Jet Propulsion Laboratory networks through an unauthorized Raspberry Pi device. The breach raised concerns about supply chain vulnerabilities and endpoint security at the agency. Additional insights from the Space ISAC Watch Center have identified numerous claims of targeting NASA infrastructure in 2024 so far. Most of these attacks are aimed at disrupting NASA public resources or exfiltrating files from NASA databases and selling them on popular leak forums, demonstrating that threat actors of all calibers perceive NASA as a valuable target.

The NASA spear-phishing campaign exemplifies the intersection of state-sponsored espionage, cyber vulnerabilities and technological competition. As NASA and other agencies become increasingly reliant on advanced software for mission-critical operations, they must navigate a persistent threat landscape. By analyzing incidents like this and implementing robust countermeasures, the space industry can better protect its intellectual property and maintain technological confidentiality. The continued focus on spear-phishing highlights the need for a proactive, multi-faceted defense strategy that includes technological, educational, and legal measures. Addressing these challenges will require ongoing collaboration between government entities, private industry and international partners.

---

Briefing 27: Adversaries Develop new Tactics for Breaching Air-Gapped Networks

10/29/2024

Executive Summary:

On October 7, security firm ESET disclosed a cyber campaign targeting air-gapped systems at a European government organization. This campaign, conducted between May 2022 and May 2024, has been attributed to GoldenJackal, an advanced persistent threat (APT) group known for its cyber espionage activity since 2019. GoldenJackal specializes in breaching isolated environments through modular toolsets that use removable media and network-adaptive malware to deliver and execute malicious payloads. The group’s prior breach of a South Asian embassy in 2019 underscores its focus on high-value isolated networks, indicating a sustained interest in circumventing traditional security boundaries.

Analysts assess these findings as a potential warning for critical infrastructure sectors that rely on air-gapped networks for secure operations. GoldenJackal’s activities expose vulnerabilities in non-internet-facing networks, demonstrating how removable drives—a commonly trusted medium for data transfer—can serve as entry points for sophisticated malware. This tactic highlights the evolving risk landscape for air-gapped networks, particularly in critical infrastructure sectors like satellite ground stations, which often rely on such systems to remain insulated from network-borne threats.

Toolset:

GoldenJackal’s toolkit leverages a modular .NET-based framework designed to operate across both internet-connected and isolated environments. Key capabilities include file exfiltration, credential theft and system information gathering. The toolkit adapts based on network connectivity, executing different actions depending on whether an internet connection is detected. For instance, in networked environments, it downloads additional payloads from command and control (C2) servers, which are then transferred to USB drives. When internet access is unavailable, it executes stored malware directly from the drive, allowing propagation within an air-gapped system.

GoldenJackal’s modular design enables it to split tasks across various components focused on collection, processing, distribution and exfiltration, facilitating a stealthy and highly adaptable approach. This adaptability reflects the group’s comprehensive understanding of secure network architectures and underscores their evolution from conventional network-based attacks to a refined approach suitable for penetrating air-gapped networks.

Threat to Critical Infrastructure:

GoldenJackal’s ability to infiltrate air-gapped networks without direct physical access represents a significant advancement in attack methodologies. Traditionally, air-gapped systems are isolated from network-based attacks, with entry points largely limited to authorized removable media. GoldenJackal bypasses this isolation by infecting user-owned drives with malware, allowing it to reach systems previously out of reach for remote actors. This method eliminates the need for physical access or the social engineering tactics typically required to distribute infected media, thus presenting a more scalable threat to isolated networks.

By challenging long-held assumptions about the security of air-gapped networks, GoldenJackal’s tactics underscore the vulnerability of critical infrastructure. Operational environments—such as water and wastewater systems in the U.S.—have previously been targeted using similar tactics to exploit vulnerabilities in programmable logic controllers and industrial control systems. This attack model may readily extend to satellite ground infrastructures, highlighting the broader risks facing critical sectors reliant on isolated systems for data integrity and operational security.

Potential Implications for the Space Sector:

Though there is no direct evidence of GoldenJackal targeting space assets, the group’s approach is highly relevant to the sector. Satellite control and ground infrastructure systems may limit internet connectivity and utilize secure, removable drives to update systems and transfer data in air gapped environments. These characteristics align closely with GoldenJackal’s toolkit and methods, which could be repurposed to breach similar isolated networks.

In the space domain, ground systems are vital for data transmission and satellite control. The compromise of these systems could disrupt operations, jeopardize data integrity and undermine secure communication. GoldenJackal’s adaptable toolkit and ability to leverage removable media as an attack vector highlight a pressing need for security measures that can anticipate and mitigate such advanced threats. As threat actors continue developing techniques to breach even the most secure network environments, it is imperative for organizations to account for these strategies across both networked and isolated systems.

Conclusion:

GoldenJackal’s campaign exemplifies how APTs are adapting their tactics to breach secure air-gapped networks traditionally viewed as impervious to remote cyber threats. By leveraging removable media as a bridge into isolated networks, GoldenJackal’s methodical approach exploits industry-standard practices for system maintenance and data transfer within air-gapped systems.

This campaign emphasizes the need for updated protocols governing removable media use and continued monitoring of advanced threat tactics targeting critical infrastructure. For sectors like space, which rely heavily on isolated networks, GoldenJackal’s toolkit illustrates the need for proactive defenses and an understanding that APTs are adapting traditional attack techniques to circumvent even the most robust network defenses. Ensuring the security of air-gapped systems remains a crucial objective as threat actors advance their capabilities to reach these highly secure environments.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.