The European Space Agency (ESA) is recovering from a string of cyberattacks that leaked hundreds of gigabytes of potentially sensitive data onto dark web forums.
The agency responded by launching a criminal investigation against the unknown hackers. But a leading space cybersecurity researcher warns that many such attacks have previously gone unnoticed and that sensitive data including email credentials of ESA, and also NASA, employees are frequently offered for sale on dark web forums.
ESA got some coal in its stocking this past Christmas. On Boxing Day, reports emerged of a trove of data containing the agency's proprietary software, authorization credentials, access tokens and sensitive project documentation being publicly accessible online. A hacker operating under the code name 888 dumped his cyber loot of more than 200 gigabytes on a dark web forum.
ESA quickly minimized the breach, saying its impact was "limited." But only a week after that statement was made, The Register revealed that a cybercrime group known as Scattered Lapsus$ Hunters stole another 500 gigabytes of data from the agency, claiming the security hole was still unpatched. That batch of data included operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space, according to The Register.
Despite the agency's initially tepid response, ESA representatives said in a press briefing held online on Jan. 8 that the incidents prompted a criminal investigation, which is currently underway.
"ESA is fully cooperating with the authorities," Eric Morel de Westgaver, ESA's director of European, legal and international matters, said in the briefing. "These authorities will manage the communication regarding the case, as those authorities will be in charge of the criminal proceedings."
Cybersecurity researcher Clémence Poirier, of the Center for Security Studies at ETH Zurich, told Space.com that cyberattacks against space agencies are not isolated incidents. In fact, she said that during her research she frequently encounters email credentials of ESA employees as well as other space agencies being sold online on dark web forums.
"It may be due to a lack of cyber hygiene from ESA staff," Poirier told Space.com. "Threat actors may have obtained credentials through infostealer malware, which can harvest web-browser-stored data, which includes credentials, session cookies, [multi-factor authentication] data, saved credit cards, etc."
Infostealers are an insidious type of malware that can evade detection by anti-virus software. These computer viruses often spread through malicious ads embedded in popular websites or infected links in YouTube video descriptions, according to SpyCloud.
Another source familiar with the space cyber risk environment who didn't wish to be named said that space agencies are a common target of cyber attacks. NASA, especially, is a frequent victim of hackers, with vulnerabilities being disclosed "almost every day" via the crowdsourced cybersecurity platform BugCrowd.
Poirier added that, although the content of the recent leaks "did not seem highly critical," it could be combined in the future with data stolen in subsequent breaches to "reveal strategic information that could enable another cyberattack against a space system."
"We are not there yet, but it's important to keep in mind," she said.
She added that vulnerabilities might exist on the side of ESA's software providers or other third parties the agency purchases services from. ESA's own networks might, too, be hiding unpatched security holes that could allow hackers to access confidential information.
"Data leaks and breaches against space agencies are common," Poirier said. "It can happen to each agency and will happen to each agency in the future considering the rise of cyberattacks against the space sector."
