A New Malware Strain - PowerDrop - Targeting Aerospace Sector

A new type of malicious software called PowerDrop has been discovered by Adlumin within the network of an unnamed US aerospace defense contractor, posing a potential threat to the aerospace industry. Due to limited information about its scope and method of infection, the specific mode of infection or initial compromise in the PowerDrop malware attack remain unknown.

‍

Notably, no instances of active usage have been observed since May 2023. The Adlumin Threat Research Team has developed detection tools that help identify instances of PowerDrop in both endpoints and network traffic.

‍

PowerDrop functions as a backdoor or Remote Access Trojan (RAT), utilizing a PowerShell script executed through the Windows Management Instrumentation (WMI) service, making it challenging for Endpoint Detection and Response (EDR) systems to detect. Analysts speculate that attackers may have deployed the script using exploits, targeted phishing emails, or fake websites for software downloads.

‍

The discovery of PowerDrop holds significant implications. Recent trends indicate that ransomware gangs prioritize data theft over encryption, utilizing extortion-focused tactics. Space ISAC recognizes PowerDrop as a major threat due to its sophisticated architecture, robust resilience, evasion tactics, and targeting of aerospace defense objects.

‍

Hacking of Orbital Nanosatellite - Thales

In May 2023, researchers from Thales successfully demonstrated their ability to compromise an orbital nanosatellite during the European cybersecurity and space exhibition (CYSAT). The satellite test bench to simulate attempts to seize control of OPS-SAT was developed by the European Space Agency (ESA) to assess the potential impact of cyberattacks on space systems. However, only Thales managed to gain control over the satellite's systems, including the Global Positioning System (GPS), attitude control system, and onboard camera, using ethical hacking methods.

‍

This experiment shows possible attacks and methods to enhance the resilience of satellite systems against cyber threats. ISAC believes that analyzing attack models can assist satellite owners in reinforcing defense mechanisms and responding to such threats effectively.

‍

The initial stage for teams to make an impact

ESA provided system descriptions and capabilities required for potential exploits. Besides information about OPS-SAT and a Satellite Experimental Processing Platform (SEPP) for software deployment, teams were granted access to the Nanosat Mission Operations Framework (NMF), which played a pivotal role in reconnaissance and resource development necessary for satellite utilization.

‍

Intrusion and Data Breach

Utilizing their legitimate access (valid accounts), Thales deployed third-party software with concealed malicious payloads. Subsequently, leveraging elevated access rights, they infiltrated the satellite system and deployed malicious code, exploiting vulnerabilities within the system. This action disrupted the operation of flight software and led to the compromise of data that was sent to Earth, including altered onboard camera images and concealed geographical areas, while avoiding ESA detection.

‍

Key results

In this manner, by aligning observed behavior with strategies outlined in the MITRE ATT&CK and Aerospace SPARTA frameworks, Space ISAC analysts identified key actions such as the integration of Intrusion Detection Systems (IDS), conducting vulnerability assessments, and implementing network segmentation. Instances like the OPS-SAT experiment assist the satellite industry in effectively preparing for future cyber threats.

‍

_{Author: Nessa, Cyber Journalist}

_{Source: https://www.kratosdefense.com/constellations/space-isac}

_{Photo: iss069e023948 (June 20, 2023) - Earth's atmosphere glimmers in this photograph from the International Space Station as it soars into a radiant orbital sunrise 257 miles above the Pacific Ocean.}

_‍