Briefing 20: Aerospace Industry Targeted by Multiple Cyber Espionage Campaigns

4/17/2024

On 21 March 2024, researchers from Palo Alto Networks Threat Intelligence Team released a report on a campaign targeting job applicants in the aerospace and defense sectors. The campaign is attributed to Curious Serpens, a threat group that has been active since 2013. This specific campaign targets aerospace and energy sector entities in the United States, Middle East and Europe from 2022 – 2023.

While this campaign may seem like an isolated example, Curious Serpens’ actions underscore an emerging trend in the cyber threat landscape for space. These campaigns demonstrate the increased scope of state-backed threat groups that engage in intelligence collection, information stealing and commercial espionage. Through an analysis of this campaign, correlated with similar activity, we can gain insight into the evolving tactics and motivations of threat actors in the space sector, highlighting the need for enhanced cybersecurity measures to protect critical resources and sensitive information.

The most recent Curious Serpens campaign focused on the deployment of a custom backdoor called “FalseFont.” According to the report, Curious Serpens actors have conducted a series of job recruitment scams, luring victims to a fake job portal to trick users into entering valid credentials and then installing the backdoor. FalseFont is a sophisticated strain of malware that is used as a remote access and data exfiltration tool by connecting to the attacker’s command/control (C2) server to receive and execute commands, download/upload files, query file system information and harvest credentials. Additional analysis from Nextron Systems assesses that threat actors are likely using this tool to extract U.S. defense or intelligence-related documents, based on how the malware impersonates legitimate job application software.

The FalseFont campaign underscores both the sophistication of espionage-focused threat groups and the prevalence of job recruiting scams to collect information. This threat actor has previously targeted space industry organizations under the alias Peach Sandstorm via a widespread password spraying campaign observed from February to September 2023. The campaign targeted various organizations in the satellite, defense and pharmaceutical sectors on a global scale. Reporting from Microsoft Security threat intelligence assessed the activity as an initial access campaign, with the goal of “intelligence collection in support of Iranian state interests.”

Analysts note the similarities between the FalseFont campaign and previously observed espionage activity targeting space and related sectors. Over the last year, there have been several espionage-focused campaigns targeting space industry organizations. While the full impact of this threat activity is not fully known, we can assess with moderate confidence that these campaigns were successful in compromising these organizations, due to intrusion detections and data provided, such as malware hashes and indicators of compromise. Specific examples of this activity include a threat actor tracked as AeroBlade, who targeted an aerospace organization in a multi-phased espionage operation from September 2022 – July 2023, RedHotel, who targeted the aerospace industry at a global scale between 2021 and 2023, and UNC1549, a campaign that leveraged fake job websites to deploy custom backdoors targeting aerospace and defense entities.

Each of these campaigns shares commonalities in both motive and execution, with the goal of exfiltrating sensitive information. Additional correlations can be drawn from the tactics, techniques and procedures of these threat groupings focused on gaining initial access through spear phishing, deploying custom malware and backdoors and exfiltrating data over C2 channels. Through this analysis, it is evident that the targeting of space industry organizations has intensified over the past year, with threat actors employing sophisticated tactics to infiltrate and compromise their targets. This trend highlights the evolving nature of cyber threats in the space sector and underscores the need for proactive security measures to mitigate the risk of espionage and data breaches.

This type of activity has become increasingly prevalent in the space threat landscape and remains a top priority for U.S. intelligence agencies. In a report published in 2023 by the National Counterintelligence and Security Center (NCSC), officials warned that foreign intelligence entities (FIEs) recognize the value of commercial space brings to the U.S. economy and national security, and threat actors may target space organizations to acquire “vital technologies and expertise.” The identified impacts are underscored by recently observed espionage activity and enumerate one of the more common ways that space organizations may be targeted. Additional findings reveal that many of these campaigns target employees of these organizations, as seen in the UNC1549 and Curious Serpens campaigns. This type of corporate espionage activity often is intended to facilitate IP theft or technology exchange, where threat actors take advantage of job-seeking individuals and seemingly legitimate corporate technology to exfiltrate sensitive data.

The targeting of job applicants and the use of fake job portals underscore the evolving tactics of these threat actors, posing a significant challenge to the cybersecurity of space organizations. These findings emphasize the urgent need for enhanced security measures and collaboration among industry stakeholders and intelligence agencies to protect critical infrastructure and sensitive information in the space sector.

---

Briefing 19: Implications for the Space Industry As Cyber Threat Actors Transition to Cloud Infrastructure Attacks

3/19/2024

Executive Summary

As organizations continue to migrate services to cloud-based solutions, trend analysis shows that cyber threat actors are making corresponding adjustments to this transition. According to officials from the Cybersecurity and Infrastructure Security Agency (CISA), advanced persistent threat (APT) actors are adapting their tactics, techniques and procedures (TTPs) to focus on initial access and disruption of cloud services. The advisory denotes observations from APT29 (aka Midnight Blizzard), which is assessed as a prominent threat actor within the cyber threat ecosystem and is primarily known for its broad scope of cyber espionage activity. According to a CISA assessment, APT29 is actively modernizing systems as government and commercial entities migrate resources to the cloud.

The findings from this report underscore a broader trend and one that has particular significance to the commercial space sector. Threat actors are shifting their targeting schemas from on-premise solutions to cloud services. This Threat Briefing is intended to assess the shift by threat actors to infiltrate cloud services and the correlation to the continued digitization of space ground architectures.

The Shift to Cloud Targeting

Analysis of past attack patterns shows that cyber threat actors such as APT29 have targeted on-premise, physical network environments in multiple cyber campaigns. Recent reporting reveals, however, that threat actors are increasingly targeting a wide range of cloud services for initial access and malware distribution. According to CISA and international partners, much of this shift is attributed to the continued modernization of industry. This transition to cloud-based infrastructure significantly alters the attack surface by requiring authentication to the cloud provider, subsequently driving changes in threat actor TTPs.

Some of the evolving tactics involve using brute force attacks and password spraying to gain access to service accounts, utilization of cloud-based token authentication and enrollment of new devices to gain unauthorized access. This observed activity underscores the increased use of valid accounts for initial access in threat actor campaigns. According to IBM X-Force’s Threat Intelligence Index, valid account compromises accounted for nearly one-third of cyberattacks in 2023. Additionally, the report states that 90% of the cloud assets made available for sale on the dark web were valid account credentials. These trends coincide with an increased number of intrusions on cloud environments, which was up 75% in 2023, according to CrowdStrike’s 2024 Global Threat Report. Officials warn that this continued trend warrants an adjusted approach to cybersecurity, with a significant focus on defending and mitigating threats in cloud environments.

Implications for the Commercial Space Industry

The push for cloud-based infrastructure is increasingly relevant for the commercial space industry, particularly as it pertains to ground-based assets and the ground station-as-a-service (GSaaS) model. While adapting to hybrid solutions for ground station architecture is a logical and beneficial evolution for the industry, it is important to identify the inherent risks that come with it so that proactive defense measures can be implemented.

First, introducing internet-facing systems to ground architecture broadens the cyberattack surface significantly, opening a host of new endpoints and making it difficult to air-gap systems. As stated in the conference paper titled Ground Station as a Service: A Space Cybersecurity Analysis, “By introducing a familiar corporate IT environment by interfacing cloud services with ground stations, GSaaS increases the susceptibility of the ground station to techniques, tactics and procedures that organized crime groups are already highly proficient in.”

Second, the increased accessibility to GSaaS offerings via services like Azure Orbital and AWS Ground Station allows for reconnaissance activities from potentially malicious actors via increased visibility. “With access to cloud environments being affordable for small organizations and individuals, their inclusion in GSaaS equips even unsophisticated threat actors with the option of buying access to a ground station themselves and probing for vulnerabilities from the inside,” the paper states. These risks are furthered by the increased targeting of cloud-related assets by threat actors in recent years.

In general, transitioning components of the space architecture to cloud-based services introduces the risks of internet-facing IT environments, which inevitably exposes GSaaS providers to a host of threats that may not be factored into air-gapped physical architecture. This observation is underscored by the increasing adaptation of direct-to-device services, allowing users to interact with satellites from mobile platforms and representing a significant increase in attack surface. As the satellite services market becomes more competitive and accessible, it is important to consider the myriad of cyber threats, particularly those that are targeting cloud services. The growing digitization of space architectures creates a corresponding range of vulnerabilities to many of the most commonly observed TTPs, including the use of valid accounts, brute force techniques and internet-facing applications and services.

Defense and Mitigation

To address these vulnerabilities, the National Security Agency (NSA) released a list of ten cloud mitigation strategies, providing organizations a guide to harden security in cloud environments. The best practices include using secure cloud identity and access management, implementing network segmentation and encryption in cloud environments and managing cloud logs for effective threat hunting. NSA officials reiterate that while the cloud can enhance IT efficiency and security, the aggregation of critical data also renders cloud services an appealing target for adversaries. This sentiment is especially germane to the commercial space industry. As more service providers transition to the cloud, it underscores the need for proactive and innovative approaches to defense in securing cloud environments.

---

Briefing 18: Living off the Land Techniques Pose a Persistent Cyber Threat to Space, Critical Infrastructure

2/20/2024

On 7 February 2024, several international government agencies released an advisory detailing how state-sponsored actors are achieving persistent access to U.S. critical infrastructure. Their findings correlate observed behavior from several sophisticated hacking entities over the last two years, highlighting the prevalence of Living off the Land (LOTL) techniques as both a favored initial access vector and a challenge for network defenders. Network-based attacks of this nature are particularly alarming for the space industry due to its complex network topology and ongoing digitization of ground stations, supported by the widespread adoption of the ground station-as-a-service (GSaaS) framework.

The adoption of LOTL techniques has gained traction in recent years, underscored by its use in several high-profile campaigns conducted since 2021. In many instances, threat groups are employing these tactics to gain persistent access to IT networks for disruptive cyberattacks against critical infrastructure, as stated by officials at the Cybersecurity and Infrastructure Security Agency (CISA). These recent developments follow observed activity from a slew of sophisticated cyber threat actors who have found success through the exploitation of small office/home office (SOHO) routers and other edge network devices. Notable examples include campaigns by BlackTech, BianLian and Volt Typhoon threat actors.

BlackTech is categorized as a cyber espionage group and has been active since 2012, most recently involved in a campaign targeting Cisco network equipment in U.S. and Japanese organizations. This activity, detailed in Threat Briefing 14, demonstrates how threat actors have used LOTL techniques to modify router firmware images and leverage domain-trust relationships for persistent access.

BianLian, a ransomware as a service (RaaS) developer and provider, focuses on extortion-based attacks targeting U.S. critical infrastructure sectors. With a name that translates loosely to “the art of changing faces,” BianLian is an adaptive threat group that has used LOTL tactics for reconnaissance and lateral movement to infiltrate network environments in the U.S.

Volt Typhoon is categorized as an advanced persistent threat (APT), has been active since 2021 and is a leader in the application of LOTL techniques. According to a Microsoft Threat Intelligence advisory in March 2023, Volt Typhoon has targeted critical infrastructure entities in Guam and the U.S., relying heavily on exploitation of local and network infrastructure, as well as living off the land binaries (LOLBins). To maintain persistence, the group leverages compromised SOHO network devices to obfuscate traffic and avoid detection.

The recent Joint Cybersecurity Advisory provides new insights into these group’s behavior, indicating that “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.” Officials assert that the purpose of these campaigns is to pre-position access on IT networks to enable lateral movement into operational environments, posing concerns to both manufacturing and supply chains for critical industries including space. Estimates claim that threat actors have used this approach to maintain persistence for over five years without significant detection.

The increasing use of Living off the Land techniques by cyber threat actors, as highlighted in the recent government advisory, presents a significant challenge for organizations, especially those in critical sectors like space. The correlation between the advisory’s findings and the observed behavior of sophisticated threat groups over the past year underscores the urgency for improved cybersecurity measures.

The cases of BlackTech, BianLian and Volt Typhoon demonstrate the diverse ways threat actors are leveraging LOTL techniques for malicious purposes, from cyber espionage to ransomware attacks. These groups’ ability to exploit network vulnerabilities and maintain persistence through compromised devices poses a serious threat to national security and the economy. As LOTL techniques continue to evolve, it is essential for organizations to remain vigilant and proactive in their cybersecurity efforts to protect against these sophisticated cyber threats.

---

Briefing 17: Surge in Telecommunications Cyberattacks Pose Implications for the Global Space Industry

1/23/2024

In December 2023, one of the largest telecommunication firms in Ukraine was taken offline by a cyberattack, leaving millions of Ukrainian citizens without mobile phone or internet service for an extended duration. This attack marked a significant turning point in the cyber warfare of the Russian-Ukraine war and highlights a growing trend of cyber threat actors going after high-profile targets in the telecommunications sector. Since the Kyivstar attack in late 2023, there have been multiple cyberattacks targeting international telecommunications organizations contributing to this growing trend.

Examples of this activity include the Spanish telecommunications firm Orange, that was targeted by an info stealing malware, a cyberattack on the Malaysian telco Celcom, where the threat actor claimed to be selling the company’s source code, and most recently, a UAE-based satellite services provider, who allegedly has been the target of the notorious Anonymous Sudan hacking group. These recent attacks on telecommunications companies have had a range of effects, from minor financial impacts to significant outages or theft of proprietary information.

Regardless of the attack type or threat group responsible, it appears that many cybercriminals are finding value in compromising the broader communications sector. This could be due to the general impact on civilian and military operations, as reliable communication networks are a critical component of national security. This trend serves to only expand the threat landscape for the commercial space sector, as firms and users alike will shift to become more reliant on space to maintain or supplement communications, as is the case with Ukraine’s continued use of Starlink services. This expansion of reliance on satellites represents an increase in attack surface and may even position satellite services in the crosshairs of nation-states whose goal is to disrupt communications and other critical functions.

Another important correlation to consider is the role of space-based assets in supporting telecommunications infrastructure. Satellites play a crucial role in extending the reach of terrestrial telecommunications networks, especially in remote or underserved areas. However, this reliance on satellite-based communications also introduces new vulnerabilities that cyber threat actors may exploit. As the demand for satellite-based services continues to grow, ensuring the security and resilience of these systems against cyber threats becomes paramount for both the telecommunications and space industries.

Furthermore, the commercial space domain is increasingly reliant on interconnected networks and data systems for various operations, including satellite launches, space exploration missions and satellite-based services. These networks are susceptible to cyberattacks that can compromise sensitive data, disrupt operations or even sabotage space missions. The growing trend of cyberattacks on telecommunications firms underscores the need for robust cybersecurity measures across the entire space ecosystem.

---

Briefing 16: Analyzing Tactics, Techniques and Procedures Used by Cyber Threat Actors to Access US Space Industry

12/12/2023

On 30 November 2023, the BlackBerry Research & Intelligence Team revealed that they had been tracking a long-term cyber campaign targeting the U.S. aerospace sector. The threat actor, tracked as AeroBlade, conducted multiple spearphishing campaigns targeting the same aerospace organization from September 2022 – July 2023.

This ongoing campaign is another example of highly skilled threat actors deploying curated malware to pursue high-value information collection from the U.S. aerospace sector. Due to the prolonged nature of the campaign and the sophisticated tactics, techniques and procedures (TTPs) demonstrated by AeroBlade, it is assessed that this campaign is focused on commercial cyber espionage. As aerospace becomes an increasingly enticing target for cybercriminals, it is crucial to understand how adversaries target this sector and the significance of threat groups that engage in cyber espionage.

According to BlackBerry’s malware analysis report, the AeroBlade threat actor utilized a multi-phased attack pattern, ultimately resulting in persistent access to the victim device via a Dynamic Link Library (DLL). For the initial access vector, the hackers leveraged a spearphishing email to deliver a malicious document that contained a VBA macro code enabling remote template injection. The macro script then ran an executable file to deliver the DLL payload to connect the victim to the hacker-controlled C2 server.

Following the execution, the DLL leveraged multiple sophisticated means of obfuscating detection. The executable file prevents disassembly, uses API hashing to hide the use of Windows functions and performs checks to skip execution in automated environments. The latter prevents the code from running in sandboxes and antivirus programs, impeding both analysis and detection.

Once the checks are complete, the DLL connects to the threat actor’s C2 server and transmits collected information including a list of directories, usernames, passwords, IP and MAC addresses from the victim’s device. This process enables a reverse shell attack, in which the attacker can force communication with the C2 and exfiltrate system information via Microsoft Virtual Basic (VB) and Windows API.

By analyzing the malware analysis report, we can assess the significance of this attack based on sophisticated technical capabilities, prolonged nature of operations and emphasis on persistence and defense evasion. The capability to obfuscate critical phases of the attack chain signifies the threat actor’s adept use of living off the land techniques, harnessing native tools and system functions to conceal their operations. The prevalence of reverse shell attacks, a common tool for cyber espionage campaigns, aligns with this approach of leveraging inherent system functionalities for persistent access and control. Furthermore, researchers note a considerable improvement in the DLL’s ability to detect and evade defense measures in the collected samples from 2022 – 2023, which is indicative of a refined approach. It remains to be seen if there will be follow-on ransom demands and exploitation attempts from AeroBlade, but the lack of known extortion demands is another indication of the alleged commercial espionage purpose of this campaign.

The tactics, techniques and procedures associated with AeroBlade resemble prior attacks targeting aerospace entities in 2023, particularly methods involving living off the land and command and scripting interpreters. For instance, it mirrors the exploitation of a vulnerability tracked as PowerDrop, where PowerShell served as the command and scripting interpreter, and in incidents targeting aeronautical entities, where attackers leveraged Unix shell for similar purposes.

Furthermore, this parallels the tactics seen in the Lazarus “Lightcan” operation, which was initiated through spearphishing while capitalizing on native API functionalities. Additional similarities involve motive and intent, where the impact of said attacks involved intellectual property theft, data exfiltration and commercial espionage. According to the DNI publication, Safeguarding the US Space Industry, “Foreign intelligence entities (FIEs) recognize the importance of the commercial space industry to the US economy” and “see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.”

The AeroBlade cyber campaign targeting the U.S. aerospace sector, tracked from September 2022 to July 2023, signifies a highly skilled threat actor’s pursuit of valuable information. Utilizing sophisticated tactics, including living off the land techniques and leveraging command interpreters, AeroBlade’s prolonged and stealthy operations strongly suggest a focus on commercial cyber espionage, echoing concerns highlighted by U.S. security agencies about the value and vulnerability of the space sector to espionage activities. While spearphishing is not necessarily associated with sophisticated threats, the follow-on actions reported by The BlackBerry Research and Intelligence Team reveal unique insights for network defenders regarding the purpose, intent and execution of cyber threat actors looking to gain access to the U.S. space industry.

---

Briefing 15: The Rise and Impact of Hacktivism Amidst Conflicts in Ukraine, Israel

11/14/2023

The ongoing war between Israel and Hamas has spurred a surge in cyber activity, with a myriad of threat actors looking to contribute to the chaos through a slew of ideology-based attacks. Multiple threat groups have targeted infrastructure sectors that include global navigation satellite system (GNSS) receivers, Israeli cyber systems, healthcare, education, water systems and U.S.-based companies that operate in Israel. The geopolitical tensions caused by this crisis have resulted in heightened animosity between several nations, exacerbating an already contentious international environment.

In the context of ongoing geopolitical conflicts, the predominant perpetrators of reported cyberattacks are hacktivist groups. These entities, motivated by ideological considerations and driven by political or societal objectives, have exhibited an escalating trend in their activities, particularly in relation to geopolitical tensions. The nature of their campaigns encompasses Distributed Denial of Service (DDoS) attacks, website defacement, data leaks, phishing and disinformation campaigns.

Illustrating this trend, the ongoing Russia-Ukraine conflict serves as a notable case study. Hacktivist groups actively targeted government, military and commercial entities perceived to support Ukrainian war efforts. Notably, this targeting extended to encompass critical U.S. infrastructure sectors, including defense and aerospace. Even in the aftermath of nearly two years post the Russian invasion of Ukraine, cyber threat groups such as Anonymous Sudan and KillNet persist in executing attacks, openly issuing threats against infrastructure linked to U.S. and NATO entities.

A parallel trend is emerging in the Israel and Hamas conflict, where hacktivism has experienced a notable surge, with many of the same groups entering the fold. Since the start of the conflict, over 70 hacking groups have become involved, utilizing cyberspace as a strategic arena for sustained engagement in ongoing hostilities.

Specific instances, according to SOC Radar’s live blog covering the conflict, include the reported DDoS attack on the Israel Space Agency website, attributed to the YourAnonT13x Group, as indicated in a corresponding post on the group’s Telegram channel. Following this incident, the GhostSec hacking group, in collaboration with Anonymous Sudan, claimed responsibility for “unleashing mass attacks on Israeli infrastructure.” Their targets included GNSS receivers and Building Automation and Control Networks (BACnet), with indications of potential future attacks targeting industrial machinery and critical infrastructure.

Despite the prevalence of hacktivism, the credibility and impact of many alleged attacks remain uncertain. Many purported attacks lack substantial proof, aside from online postings, which are often overstated. However, activities from hacktivist groups can coincide with ongoing targeting from more sophisticated entities and highlight potential victims to other, opportunistic threat actors. In Microsoft’s 2023 Digital Defense Report, researchers suggest a convergence of state-sponsored activity and hacktivist operations in observed cyber activity in Ukraine. Cyberthreat groups have evolved to collaborate more frequently, indicating that many self-reported threats from hacktivists could serve to incite other threat actors.

As such, the emergent threat posed by hacktivist groups presents a heightened risk to sectors critical to national security, including military, government, and space industries. While hacktivist groups are not considered the most dangerous threat, the continued surge of activity increases an already contested threat environment for international organizations. In a statement given to the U.S. Senate Committee on Homeland Security and Governmental Affairs, FBI Director Christopher Wray states that “the cyber targeting of American interests and critical infrastructure that we already see—conducted by [state] and non-state actors alike—will likely get worse if the conflict expands.” This pattern of hacktivist operations underscores the evolving landscape where cyber capabilities are leveraged as force multipliers in contemporary conflicts, necessitating a comprehensive understanding and strategic response to mitigate potential impacts on national security and infrastructure integrity.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at s-isac.org to learn more about security for space and how to become a member.