In recent times, the realm of space systems has become a new frontier, simultaneously serving as a domain of technical progress and, unfortunately, the emergence of new threats. SAPCE ISAC tracks various cybersecurity events that space systems worldwide encounter. This overview highlights SAPCE ISAC research - the discovery of a new type of malicious software, PowerDrop, and attempts to hack compromise of an orbital nanosatellite, underscoring the need for robust protection mechanisms in space systems against emerging cyber threats.
A new type of malicious software called PowerDrop has been discovered by Adlumin within the network of an unnamed US aerospace defense contractor, posing a potential threat to the aerospace industry. Due to limited information about its scope and method of infection, the specific mode of infection or initial compromise in the PowerDrop malware attack remain unknown.
Notably, no instances of active usage have been observed since May 2023. The Adlumin Threat Research Team has developed detection tools that help identify instances of PowerDrop in both endpoints and network traffic.
PowerDrop functions as a backdoor or Remote Access Trojan (RAT), utilizing a PowerShell script executed through the Windows Management Instrumentation (WMI) service, making it challenging for Endpoint Detection and Response (EDR) systems to detect. Analysts speculate that attackers may have deployed the script using exploits, targeted phishing emails, or fake websites for software downloads.
The discovery of PowerDrop holds significant implications. Recent trends indicate that ransomware gangs prioritize data theft over encryption, utilizing extortion-focused tactics. Space ISAC recognizes PowerDrop as a major threat due to its sophisticated architecture, robust resilience, evasion tactics, and targeting of aerospace defense objects.
In May 2023, researchers from Thales successfully demonstrated their ability to compromise an orbital nanosatellite during the European cybersecurity and space exhibition (CYSAT). The satellite test bench to simulate attempts to seize control of OPS-SAT was developed by the European Space Agency (ESA) to assess the potential impact of cyberattacks on space systems. However, only Thales managed to gain control over the satellite's systems, including the Global Positioning System (GPS), attitude control system, and onboard camera, using ethical hacking methods.
This experiment shows possible attacks and methods to enhance the resilience of satellite systems against cyber threats. ISAC believes that analyzing attack models can assist satellite owners in reinforcing defense mechanisms and responding to such threats effectively.
ESA provided system descriptions and capabilities required for potential exploits. Besides information about OPS-SAT and a Satellite Experimental Processing Platform (SEPP) for software deployment, teams were granted access to the Nanosat Mission Operations Framework (NMF), which played a pivotal role in reconnaissance and resource development necessary for satellite utilization.
Utilizing their legitimate access (valid accounts), Thales deployed third-party software with concealed malicious payloads. Subsequently, leveraging elevated access rights, they infiltrated the satellite system and deployed malicious code, exploiting vulnerabilities within the system. This action disrupted the operation of flight software and led to the compromise of data that was sent to Earth, including altered onboard camera images and concealed geographical areas, while avoiding ESA detection.
In this manner, by aligning observed behavior with strategies outlined in the MITRE ATT&CK and Aerospace SPARTA frameworks, Space ISAC analysts identified key actions such as the integration of Intrusion Detection Systems (IDS), conducting vulnerability assessments, and implementing network segmentation. Instances like the OPS-SAT experiment assist the satellite industry in effectively preparing for future cyber threats.
Author: Nessa, Cyber Journalist
Photo: iss069e023948 (June 20, 2023) - Earth's atmosphere glimmers in this photograph from the International Space Station as it soars into a radiant orbital sunrise 257 miles above the Pacific Ocean.
You can support TheSIGN by becoming our SATELLITE. Click to learn more about sponsorship.