In recent times, the realm of space systems has become a new frontier, simultaneously serving as a domain of technical progress and, unfortunately, the emergence of new threats. The Space ISAC tracks various cybersecurity events that space systems worldwide encounter. This overview highlights The Space ISAC's recent research - from organized cyberattacks targeting satellite networks, exemplified by the GhostSec subgroup's alleged GNSS compromise, to the discovery of vulnerabilities like the remote code execution vulnerability (ESXiArgs) in VMware ESXi, and the increasing menace of ransomware attacks, such as the rapidly evolving LockBit ransomware that poses a significant risk to critical space infrastructure.
“GhostSec”, a provocative subgroup of Anonymous, demonstrates elevated technical prowess and sophistication in its attacks. In March 2023, GhostSec shared “evidence” of an attack on Global Navigation Satellite Systems (GNSS), showcasing in a tweet several images of a GNSS receiver as proof of their network access. GNSS plays a critical role in position, velocity, and time determination, used in navigation, transportation, and scientific research.
Later, in early April 2023, the user @V_GhostSec (associated with GhostSec) claimed on Twitter that they had compromised 11 different GNSS satellite receivers linked to Russian and Israeli infrastructure and deleted up to 30 GB of data on each satellite.
If these claims are true, these attacks could have substantial consequences and point to vulnerabilities in satellite networks, including access gateways, RTUs and controllers that provide access to remote communications.
Furthermore, in January 2023, GhostSec publicly stated it had successfully hacked an RTU, a device commonly used in satellite communication. However, the compromised device was later identified as a communication gateway.
Thus, the trend underscores that hacking groups like GhostSec are increasingly focusing on Operational Technology (OT) and Industrial Control Systems (ICS). This shift holds significant implications for the space industry, impacting both military and commercial organizations reliant on ground stations and command and control networks.
On March 30th, the Space ISAC launched its Watch Center, focusing on monitoring threats to both ground and space environments, providing comprehensive information about space risks. Analysts will be able to track threats, anomalies, and adversary actions, generating reports on cyber threats, intentional interferences, and orbital activities. The Watch Center signifies a significant advancement for the Space ISAC, expanding capabilities to detect and analyze risks related to radio frequency electromagnetic interference (RF EMI), satellite anomalous maneuvers, nation state actor activities, and cyber threat reconnaissance.
Recently, ransomware attacks, particularly those like LockBit, have surged, with LockBit contributing to a 45% increase in reported ransomware attack incidents from January to February 2023. Aerospace companies, including manufacturers and distributors in the space supply chain, have been targeted by LockBit. For instance, LockBit is claiming to breach Maximum Industries' systems and stealing around 3000 aerospace-related seats.
Importantly, since 2019, LockBit has rapidly evolved into one of the most active and dangerous threats. LockBit 3.0, also known as “LockBit Black”, represents the latest modular and evasive version, operating under a Ransomware-as-a-Service (RaaS) business model akin to Software-as-a-Service (SaaS).
After gaining initial network access primarily through purchased access or unpatched vulnerabilities, LockBit establishes control over victim systems, gathers network information, and accomplishes core objectives such as data theft and encryption. Alternatively, an Initial Access Broker (IAB) deploys malicious software to gain entry into the target organization's infrastructure, subsequently selling this access to the main LockBit operator for further utilization.
LockBit's success lies in sophisticated malware development and collaborations with affiliated companies, ensuring diverse infection methods and persistent access to victim systems.
LockBit 3.0 has launched direct or indirect attacks on aerospace companies through supply chain vulnerabilities, so its sophisticated attacks pose a significant risk to critical infrastructure and require robust cybersecurity measures.
In early February, a previously known vulnerability in virtualization technology, VMware ESXi, resurfaced, leading to ransomware attacks and malicious activities on global ESXi servers. The vulnerability, initially patched in 2021, enables remote code execution (RCE), allowing attackers to remotely execute malicious commands. Despite the patch, the exploit remained active, indicating either partial mitigation or the development of bypass methods by malicious actors.
CISA and CERT began warning about the exploit known as ESXiArgs in February 2023. A released recovery script proved ineffective, as a new version of the malicious software bypassed it, resulting in an increase in the number of compromised servers. According to reports, the initial count of compromised servers was around 4000, which later surged significantly. Organizations using outdated and unpatched ESXi versions were at risk.
As virtualization becomes an increasingly integral part of space systems, organizations must prioritize updates released for vulnerabilities, collaborate with suppliers, CERTs, and governmental entities to ensure existing cybersecurity measures are effective against new threats like ESXiArgs.
Author: Nessa, Cyber Journalist
Photo: by Mati Mango/Pexels
You can support TheSIGN by becoming our SATELLITE. Click to learn more about sponsorship.