Helping the space industry stay aware of
incidents, threats & vulnerabilities

Briefing 35: Assessing How the Israel-Iran Conflict Impacts the Space Threat Landscape

7/1/2025

Overview:

Amid the ongoing Israel-Iran conflict, cyberspace has emerged as an increasingly active front, with notable spillover into critical infrastructure sectors. In the days following the initial escalation, both private-sector and government reporting confirmed a sharp increase in cyber activity—ranging from opportunistic hacktivist campaigns to more disruptive operations. The Information Technology-ISAC and the Food and Agriculture ISAC issued a joint alert warning of elevated cyber threats, underscoring the cross-sector impact of operations linked to the conflict.

Following a U.S. military strike on Iranian nuclear facilities, the Department of Homeland Security issued additional guidance, noting a rise in low-level cyber incidents attributed to pro-Iranian groups and warning that state-sponsored actors may exploit poorly secured network technologies to target U.S. infrastructure.

As in previous regional conflicts, space-related organizations, particularly those with ties to government and defense, have become key targets, absorbing both direct and indirect impacts from broader cyber and electronic warfare activity. This pattern mirrors past incidents, such as the aftermath of the October 7, 2023 attacks against Israel, when pro-Palestinian hacktivists targeted a variety of space infrastructure, from web servers to GNSS receivers.

On June 12, 2025, Israel launched a preemptive strike on Iranian military and nuclear sites, triggering a rapid escalation in hostilities. The following day, Iran retaliated with a wave of missile and drone attacks targeting Israeli military and intelligence infrastructure. As the kinetic conflict unfolded, a parallel front emerged in cyberspace—manifesting in increased cyberattacks and widespread GNSS interference affecting both regional and global operations.

Hacktivism and High-Noise Attacks:

Between June 12 and June 15, Radware reported a 700% surge in cyberattacks targeting Israeli infrastructure. These attacks included destructive operations, disinformation campaigns, distributed denial-of-service (DDoS) activity, and web defacements—many of which were low in sophistication but high in volume, consistent with common hacktivist tactics. Notably, analysis of these incidents reveals a recurring focus on the intersection of space and defense, with satellite operators, defense contractors, and national space agencies among the frequently named targets.

Between June 12 and June 26, at least 41 cyberattacks were claimed by various threat groups, reportedly affecting 36 space or space-adjacent organizations. While most of these targets were Israeli, several incidents extended to U.S. and U.K.-based companies and government agencies. Most of the claimed activity involved distributed denial-of-service (DDoS) attacks—tactics that, while not directly threatening to space system functionality, offer insight into the ideological motivations and target selection of pro-Iranian actors. There have been some indicators of potential escalation, such as unverified claims by the hacktivist group GhostSec, which alleged it had compromised 10 Israeli VSAT terminals. Despite the low confidence of the claims, they reflect how disruptive techniques may carry over to operationally relevant targets.

The volume and variety of hacktivist engagements also highlight a long-standing trend: politically motivated cyber actors often outlast the kinetic phases of conflict, continuing operations driven by ideology, affiliation, or retaliation. This is where a significant portion of the risk emerges: current cyber activity may serve as early-stage reconnaissance or testing, laying the groundwork for more impactful operations over time. As of June 22, CyberKnow reports 120 active hacktivist groups. Additional reporting indicates that cybercriminal groups and nation-state threats are also active.

GNSS Interference

One of the most persistent and concerning developments in the wake of the June strikes has been the notable increase in GNSS interference across the Middle East. Multiple indicators—ranging from Notices to Airmen (NOTAMs) and Conflict Zone Information Bulletins (CZIBs) to commercial GNSS monitoring platforms—confirm a highly degraded signal environment since June 12.

These disruptions, though often short-lived (30 seconds to five minutes), have had tangible impacts on air and maritime navigation. Iranian Flight Information Regions (FIRs) have seen cessation of overflight traffic and remain high risk as the conflict continues. Maritime operations in the Strait of Hormuz, the Persian Gulf, the Arabian Sea, and the Red Sea report growing concerns over navigational reliability.

Historically, the region encompassing Israel, Iran, Iraq, and Lebanon has been a contested GNSS environment due to ongoing conflict and electronic warfare experimentation. But current levels of disruption reflect an unprecedented intensity—likely influenced by active jamming, spoofing, and broader electronic warfare activity aligned with military objectives.

For the space sector, this presents growing concern. Not only do satellite signals enable navigation, but the operational integrity of space systems—from launch telemetry to earth observation—relies on uninterrupted, precise GNSS functionality. Disruption at this scale and frequency adds volatility to an already complex threat landscape.

Conclusion:

As the Israel-Iran conflict evolves, space-sector stakeholders should prepare for sustained disruption—both in cyberspace and across the electromagnetic spectrum. Historical patterns suggest that politically driven hacktivist operations will persist beyond any temporary ceasefire or de-escalation. State-sponsored campaigns may adapt their tactics to circumvent increasing defenses or target international partners seen as aligned with either side.

GNSS interference, often underreported or normalized in high-tension areas, is likely to continue at elevated levels—posing persistent risks to aerospace operations, satellite communications, and precision-guided systems.

While it is difficult to predict the trajectory of the broader conflict, one trend is clear: the space sector is a legitimate target for geopolitically motivated threat sources. These developments underscore how the space sector continues to absorb spillover from geopolitical tensions as a function of its strategic proximity and symbolic value. Recent assessments from U.S. cybersecurity agencies reaffirm this trend, noting that “Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.” The advisory highlights the Defense Industrial Base (DIB) as a sector of elevated risk, with particular emphasis on edge devices and operational technology (OT) systems, both of which play critical roles in the development and operation of space infrastructure.

---

Briefing 34: Beyond the Breach: Assessing Downstream Risk from Interlock Ransomware

6/3/2025

Overview:

On May 13, 2025, the Interlock ransomware group made headlines with its latest target National Defense Corporation (NDC) and its subsidiary, AMTEC. Interlock is a relatively new ransomware outfit, first appearing in September 2024 and garnering attention due to their targeting of high-profile entities, which researchers refer to as “big-game hunting.” This recent attack demonstrates an evolution in scope for the group, and corroborating analysis from security firm Resecurity helps break down the far-reaching impacts incidents of this nature may have on the Defense Industrial Base (DIB) and broader stakeholders.

According to the group’s own claims on their leak site, Interlock exfiltrated a staggering 4.2 terabytes of data from NDC systems. This trove reportedly contains nearly 3 million files across 450,000 folders, including 1.6 GB housed in a folder labeled Customer Files. Among the exposed documents are references to top-tier defense contractors and space stakeholders—though the full scope and authenticity of the data remain under review.

The incident was initially disclosed by DataBreaches.net on March 31, 2025, and later confirmed in a regulatory filing by NDC’s parent company, National Presto Industries.

About Interlock Ransomware:

The Interlock group first emerged in September 2024 and quickly developed a reputation for targeting high-value sectors. Although it had not previously shown interest in space-related organizations, its targeting of NDC and AMTEC may signal a shift. Resecurity analysts believe this was a deliberate and targeted operation, potentially with nation-state backing—though conclusive attribution remains unconfirmed.

Interlock’s tradecraft, as detailed in an April 2024 Cisco Talos report, includes the use of remote access tools, commodity malware, and custom scripts to gain and maintain access. Notably, the group employs:

• PowerShell downloaders and batch scripts for staging and payload execution
• Legitimate IT tools such as AnyDesk and Remote Utilities for stealthy lateral movement
• AES-encrypted containers to conceal exfiltrated data
• Anti-analysis techniques that check for sandboxes or virtualized environments

These tactics align with MITRE ATT&CK techniques such as T1078 (Valid Accounts), T1059.001 (PowerShell), and T1497 (Virtualization/Sandbox Evasion), underscoring the sophistication of the group’s operations.

While many elements of Interlock’s behavior point to financially motivated cybercrime, its choice of target and the strategic value of the exfiltrated data suggest broader implications.

Significance to Space:

While ransomware attacks frequently target smaller organizations, breaches like the one involving NDC demonstrate how cybercriminal groups increasingly view the DIB as a lucrative and strategic target. Attacks on Original Equipment Manufacturers (OEMs), suppliers, and subcontractors not only disrupt operations but also expose sensitive data about customers, contracts, and interdependencies—data that could be weaponized in future cyber campaigns.

The cascading effects of such incidents can be severe: supply chain partners are put at risk, military program timelines can be disrupted, and sensitive business relationships are impacted. Even when classified data is not directly compromised, the exposure of contract documents, procurement records, and other non-public information offers adversaries a roadmap of the defense ecosystem. The exfiltrated data published by Interlock, and analyzed by Resecurity, contains data belonging to several key stakeholders in the global space industry.

Conclusion:

This incident underscores how ransomware attacks on suppliers, OEMs and distributors can cause cascading operational and reputational impacts to defense contractors and other customers within commercial and military space. Ransomware groups engaging in double extortion operations often view DIB entities as valuable, high-profile targets due to the potential for enumerating their network of suppliers for future attacks. Government and military-related datasets are often touted on dark web marketplaces as valuable resources for other hacking groups and cybercriminals.

Space ISAC continues to monitor developments and encourages all stakeholders to evaluate their exposure to third-party risk, adopt a zero-trust architecture, and share intelligence proactively. As ransomware operations like Interlock increasingly target manufacturers and affiliated entities, it's critical to recognize that even indirect compromises can expose sensitive, non-public information—potentially enabling threat actors to expand their scope, escalate extortion efforts, and conduct intelligence gathering against space and defense organizations that may have previously been beyond their immediate reach.

---

Briefing 33: Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict

5/6/2025

Overview:

On 25 March 2025, DomainTools Investigations (DTI) uncovered a large-scale phishing campaign targeting defense and aerospace organizations tied to the ongoing Russia-Ukraine conflict. The campaign employed a dynamic phishing infrastructure comprising a small number of mail servers and spoofed domains crafted to mimic well-known defense contractors and government entities. The phishing infrastructure was used to host fraudulent webmail login pages designed to harvest employee credentials, likely as part of a broader cyber espionage effort.

While no specific threat actor has yet been publicly attributed to this activity, the tactics, techniques and procedures (TTPs) observed—including targeted spear-phishing, spoofed domains and webmail credential harvesting—align closely with the hallmarks of state-sponsored cyber espionage. In this case, geopolitical motivations related to the Russia-Ukraine war strongly suggest alignment with pro-Russian interests, either from Russian intelligence services or affiliated advanced persistent threat (APT) groups.

Infrastructure Details:

The phishing campaign was first detected through the spoofed domain kroboronprom[.]com, which impersonated Ukroboronprom, Ukraine’s largest state-owned defense conglomerate. As a cornerstone of Ukraine’s defense sector, Ukroboronprom represents a highly attractive target for intelligence collection. The attackers leveraged the domain to deploy a fake webmail login page—built using Mailu—to trick employees into entering their corporate credentials.

Subsequent investigation using DomainTools Iris revealed a broader infrastructure that included multiple spoofed domains registered via Spaceship and hosted through GHOSTnet VPS, a provider previously observed in cybercrime infrastructure. These domains were connected through a small set of mail servers that appeared purpose-built to support high-volume phishing operations. Notably, the infrastructure included domains like cryptshare.rheinemetall[.]com, masquerading as a secure file-sharing platform likely used to distribute malware or capture sensitive files under the guise of legitimate business processes.

In total, researchers linked 923 spoofed domains to the campaign, targeting at least 13 organizations across the defense, aerospace and IT sectors. Many of these entities are considered defense primes or critical suppliers within NATO countries, particularly the United Kingdom and broader European Union.

Significance to the Space Sector:

This campaign provides a clear illustration of the evolving cyber threat landscape facing satellite communications companies and broader space sector stakeholders. As modern warfare becomes increasingly reliant on space-based assets for communications, navigation, intelligence, surveillance and reconnaissance (ISR), these entities have become priority targets for both direct attacks and supply chain infiltration.

While the campaign’s focus appears to be on defense and aerospace firms supporting Ukraine’s war effort, many of the spoofed domains and targeted entities are deeply embedded in the global space sector. Satellite operators, ground segment providers and defense contractors often share overlapping infrastructure and partnerships, creating opportunities for lateral movement once initial access is gained. Phishing remains a primary vector for achieving this initial compromise, as attackers exploit trust in established communications channels—often by impersonating familiar vendors, partners or even internal contacts.

The use of dynamic, modular phishing infrastructure, as seen in this campaign, allows threat actors to pivot quickly between targets, register new domains rapidly and continuously refresh their tactics to evade detection. This agility poses unique challenges for satellite operators, which must secure a diverse and globally distributed network of suppliers, contractors and partners.

Threat Actor Tradecraft: Masquerading as Trusted Vendors:

A notable feature of this campaign—and a broader trend in modern cyber operations—is the use of impersonation tactics to breach supply chains. By spoofing domains of trusted vendors, secure file-sharing platforms and internal mail systems, attackers aim to bypass initial defenses and leverage the trust built between organizations and their suppliers.

The space sector is home to a wide array of international collaborators and subcontractors, many of which make up the supply chain and underscore the risk of vendor impersonation. A compromised vendor can serve as a foothold to escalate privileges, move laterally within larger networks and access sensitive satellite control systems, intellectual property or even mission-critical data.

Conclusion:

The phishing campaign uncovered by DomainTools is a significant example of how geopolitical tensions drive sophisticated cyber threat activity against high-value targets. As the space and satellite communications sectors continue to expand their critical role in defense and national security, they must anticipate and defend against increasingly targeted and adaptive threats. Strengthening defenses across both technical and human layers, maintaining vigilance over supply chain security and actively contributing to collective defense through intelligence sharing are essential steps in mitigating the risk of compromise and ensuring mission continuity.

---

Briefing 32: Threat Actor Targets Satellite Communications with Novel Polyglot Malware

4/8/2025

Overview:

On 4 March 2025, cybersecurity company Proofpoint disclosed a sophisticated email-based cyber campaign that employed a rare and advanced malware delivery technique known as a “polyglot.” Based on victimology, researchers assessed that the campaign primarily targeted aviation, satellite communications and critical transportation organizations within the United Arab Emirates (UAE). Proofpoint attributed these attacks to a newly identified threat actor tracked as “UNK_CraftyCamel.”

The campaign is characterized by the employment of a sophisticated infection chain that deployed a newly discovered Golang backdoor dubbed Sosano—a malicious implant designed for long-term access and data exfiltration in high-value targets. Analysts note the prevalence of sophisticated phishing lures as an increasingly effective technique used to compromise space companies. This campaign reflects how cyber espionage continues to drive targeted activity against the space sector, with threat actors increasingly exploiting trusted relationships and deploying advanced, evasive malware to achieve strategic objectives.

Campaign Details:

Conducted in late 2024, the campaign leveraged compromised email accounts of INDIC Electronics, an Indian electronics firm reportedly in business contact with the victims. Each phishing message was customized to the recipient and contained a lure document aligned with the target’s business operations—enhancing legitimacy and likelihood of interaction. Analysis of the targeting patterns reveals a clear focus on aviation, satellite communication and regional critical infrastructure in the UAE.

Attack Pattern:

UNK_CraftyCamel actors used these compromised accounts of to send spear phishing emails containing links to spoofed domains that mimicked the business partner’s website. This link redirected users to a compressed ZIP archive containing an LNK file disguised as an XLS and two polyglot PDF files. Polyglots are specialized files that can be interpreted as multiple formats, depending on how they are parsed.

When the LNK file was executed, it launched a built-in Windows utility called mshta.exe, which then executed a script embedded in an HTML Application (HTA). This script ran a malicious file named Hyper-Info.exe, which in turn decoded a seemingly innocuous image file (JPG) encrypted with XOR encryption—a basic but effective technique for obfuscation. The result was the deployment of the Sosano backdoor, which enables remote access and command execution on compromised systems. Analysts also identified embedded XOR keys, suggesting plans for future evolutions or anti-analysis features.

Significance to the Space Sector:

This campaign demonstrates a pressing threat to space-sector organizations: the exploitation of trusted supply chain relationships. In an interconnected business environment, even indirect partners can become unwitting vectors for compromise. Cyber intrusions via compromised third parties, especially those with legitimate communication channels, pose serious detection and containment challenges.

The targeting of aviation and satellite communications strongly suggests an espionage-driven motive, likely aimed at acquiring sensitive operational or strategic intelligence. This aligns with a broader trend in which space-adjacent industries such as aerospace, ground station operations and satellite data services are increasingly viewed as valuable targets by state-linked threat actors.

Furthermore, the technical sophistication of the Sosano delivery chain, particularly the use of polyglot files, underscores a growing adversary capability to evade traditional security tools. Polyglot payloads are rare but effective, designed to confuse file type detection and slip past security filters—making them particularly dangerous in environments that rely heavily on email for document sharing and coordination.

Given that satellite communication supports aviation safety, maritime operations, emergency response and military activities, a successful intrusion could yield intelligence with strategic value—or worse, enable disruption of mission-critical services. As geopolitical competition intensifies, especially in the Middle East, cyber campaigns like this one may become more frequent and more targeted.

Conclusion:

The UNK_CraftyCamel highlights several important trends that impact the space threat environment. Firstly, threat actors are enhancing the sophistication of low-level attacks such as phishing. By exploiting business partners and using obfuscated payloads, this activity demonstrates how email-based threats remain at the forefront of cyber-attacks. Second, the use of polyglot payloads highlights a potential new tactic for espionage-motivated actors. Polyglot files, while seldom seen in the wild, present a powerful tool for malware delivery and detection avoidance, underscoring the need for strong email security.

Lastly, organizations involved in space operations, particularly those with dual roles in aviation or satellite communications, remain attractive targets for cyber espionage. Researchers note the operational overlap between UNK_CraftyCamel and other aligned campaigns that have historically targeted aerospace-aligned organizations. Reported campaigns over the past couple of years highlight this observation, showing that while space may not be subject to the same number of financially motivated attacks, cyber espionage is a legitimate motivating factor impacting the operational security of the sector.

Finally, this campaign reinforces the fact that operational security in the space sector depends not just on your own defenses, but on the cyber hygiene of your partners. The low volume, tailored lures and stealthy payloads point to a deliberate, high-value campaign—one that reflects the increasing professionalization of space-targeted cyber threats.

---

Briefing 31: Cyber Threats to Operational Technology in Aerospace and Aviation Supply Chains

3/11/2025

Overview:

On 28 February 2025, analysts identified reports that an advanced persistent threat (APT) group tracked as APT41 (aka Winnti) has been conducting a cyber espionage campaign targeting manufacturing companies worldwide. The activity was reported by CheckPoint researchers who observed the group exploit a virtual private network (VPN) vulnerability in Check Point security gateways, allowing them to gain initial access to the networks of dozens of operational technology (OT) organizations. The aerospace and aviation supply chains, which are critical to commercial space infrastructure, were among the key targets of this campaign, according to additional reporting from Dark Reading.

Attack Pattern

APT41’s attacks leveraged a Check Point VPN vulnerability to infiltrate OT networks. Once inside, they utilized the Winnti malware, which incorporates a unique rootkit to conceal communications and employs stolen legitimate digital certificates to bypass security measures. APT41’s tactics were consistent with those observed in past campaigns, focusing on small and mid-sized OT organizations that often lack the cybersecurity resources of larger enterprises.

After establishing access, the attackers moved laterally across networks, escalating their privileges to gain access to domain controllers and other critical systems. A key element of their strategy involved deploying the modular ShadowPad backdoor, a well-known tool in Chinese cyber espionage operations. ShadowPad provided persistent remote access, enabling the exfiltration of sensitive aerospace and aviation manufacturing data.

Threats Targeting OT Organizations

On 20 February 2025, researchers at Trend Micro reported on a campaign that had similar targets and tools used. Researchers noted that ShadowPad was also linked to ransomware deployments in manufacturing and OT environments, with similar targets to those observed by Check Point. Notably, this activity aligns with Check Point’s findings on APT41’s exploitation of VPN vulnerabilities, suggesting a potential convergence between cyber espionage and financially motivated cybercrime. This overlap suggests a strategic pivot among China-sponsored threat clusters, where traditional intelligence-gathering operations are being supplemented by ransomware-based extortion schemes.

While historically, Chinese APT groups have focused on long-term intelligence collection, the introduction of ransomware into their toolkit signifies an evolution in their tactics. ShadowPad, previously used exclusively for espionage, is now being leveraged to deploy the NailaoLocker ransomware, indicating a dual-purpose approach. This method allows attackers to extract sensitive intellectual property while simultaneously disrupting operations through financial extortion, increasing the overall impact on victims.

Significance to the Space Sector:

Operational technology (OT) organizations play a foundational role in the aerospace and aviation supply chains, supporting manufacturing, logistics, and infrastructure operations essential to space systems. Many aerospace companies rely on OT environments to oversee critical manufacturing processes, including the production of satellite components, propulsion systems and avionics. The impact of these attacks to aerospace suppliers demonstrates the growing risk to commercial space operations, as the compromise of these organizations could disrupt supply chains and present a downstream access vector to aerospace organizations.

Conclusion

The cyber campaign led by APT41 underscores the growing intersection of espionage and cybercrime within the OT sector, particularly in industries critical to space exploration and defense. The exploitation of VPN vulnerabilities and deployment of ShadowPad malware reveal a calculated strategy to infiltrate supply chains, steal intellectual property and leverage ransomware for financial gain.

To mitigate these risks, organizations within the aerospace and commercial space industries must prioritize cybersecurity measures, including the timely patching of vulnerabilities, implementing strong access controls and increasing awareness of supply chain risks. As threat actors continue to evolve their tactics, a proactive and coordinated cybersecurity approach will be essential to safeguarding the future of space operations and critical infrastructure.

---

Briefing 30: Ransomware in the Cloud: Threat Actors Turn to Storage Encryption for Extortion

2/12/2025

Overview:

Threat actors are rapidly adapting to the widespread adoption of cloud services, refining their tactics to exploit cloud-based storage, platforms and infrastructure. Ransomware operators in particular are leveraging the inherent characteristics of cloud ecosystems to enhance their encryption and extortion capabilities. The integration of cloud-native features into attack methodologies has introduced new threat vectors that pose significant challenges to traditional security measures.

In January of this year, reports surfaced of a threat actor tracked as “Codefinger” that introduced a novel method for encrypting data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets. The attack leverages server-side encryption with customer-provided keys (SSE-C) to encrypt S3 objects. The threat actor then demands a ransom for the symmetric AES-256 keys required for decryption. Due to the nature of the SSE-C encryption model, recovery of stolen data is made impossible without the attacker-controlled encryption keys.

Attack Pattern:

The incident was first reported by Halcyon on January 13, identifying at least two confirmed victims affected by this attack. The attack sequence begins with the compromise of exposed cloud service API keys, granting initial access to the victim’s account. Once inside, the threat actors leverage valid credentials to access cloud storage, exfiltrate data and subsequently encrypt stored objects using a locally generated AES-256 key. These findings were later corroborated by the AWS Customer Incident Response Team, which reported an increase in unusual encryption activity associated with S3 buckets.

This attack does not exploit vulnerabilities in the cloud provider’s infrastructure but rather abuses legitimate security mechanisms and authorized access. This underscores the increasing risk associated with credential exposure, weak access controls and insufficient monitoring of cloud environments. Notably, cloud credential theft remains a persistent issue, with researchers recently uncovering over 15,000 cloud authentication credentials exposed in publicly accessible Git configuration files, further highlighting the ease with which attackers can obtain access to cloud environments.

These tactics also demonstrate another facet of living-off-the-land techniques, which have become increasingly prevalent in cyber campaigns. By leveraging native security features, threat actors can abuse privacy-oriented features as an effective way to extort victims.

Impact:

Cloud-based storage services have become a prime target for cyber threat groups due to their widespread adoption across critical industries and their role in securing sensitive data. According to CrowdStrike’s 2024 Global Threat Report, cloud intrusions have surged by 75%, highlighting the growing focus of adversaries on cloud environments.

Among these services, object storage solutions play a vital role in sectors such as aerospace, where they are commonly used for satellite imagery processing, sensor data storage, and communication log management. However, the misuse or exploitation of improperly secured cloud data can lead to severe consequences, including intellectual property theft, operational disruptions, and unauthorized data exposure. As adversaries increasingly integrate cloud-based assets into their attack strategies, these risks continue to escalate.

The rise of ransomware in cloud environments illustrates both the evolution of cyber extortion tactics and the growing sophistication of ransomware-as-a-service (RaaS) operations. While traditionally focused on enterprise and on-premises IT infrastructure, ransomware operators are now actively adapting their techniques to exploit cloud-native features. The attack methodology observed in this incident may inspire further adoption among other ransomware groups, broadening the scope of cloud-based extortion schemes.

To mitigate these threats, organizations must implement stringent access controls, continuous monitoring and multi-factor authentication. Additionally, to prevent unauthorized encryption of cloud data, security best practices recommend enforcing short-term credentials, monitoring for anomalous access patterns and restricting the use of certain encryption mechanisms unless explicitly required.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.