Hackers Chasing Aerospace Segment Hard - European Space Agency Targeted Twice in a Week

In the past few months, cybercriminals have been globally targeting aerospace agencies and their associated contractors. Various organizations such as NASA contractors like VT San Antonio Aerospace Inc. and Digital Management Inc. (DMI), and most recently, the European Space Agency (ESA), were on the target list of such cyberattacks.

ESA hit twice

The ESA was hit two times within the duration of a week.
  • The Ghost Squad Hackers (GSH) targeted the business website of the ESA twice but there was no specific motive clearly mentioned in their messages.
  • In their first attempt in mid-July, the GSH group exploited a Server-side Request Forgery (SSRF) remote code execution vulnerability in the agency’s server, and gained access to the website (https://business[.]esa[.]int/).
  • Within the next few days, the same hackers again found another private SSRF vulnerability in another domain (https://space4rail[.]esa[.]int).

Other aerospace agencies and contractors on target

Several aerospace agencies and their supporting contractors have been targeted by various hackers in the past few months.
  • Last month, members of the Lazarus Group were seen using fake LinkedIn job recruiter profiles and private messages to approach employees working at European aerospace and military companies, including Collins Aerospace and General Dynamics.
  • In the same month, VT San Antonio Aerospace Inc., the contractor providing maintenance, repair, and overhaul services to aircraft, was hit with the Maze ransomware attack, affecting its U.S. commercial operations.
  • Digital Management Inc. (DMI), NASA's IT contractor that provides managed IT and cyber-security services on demand, was targeted by the DoppelPaymer ransomware actors.

SpaceX - A recurring target for impersonation attacks

Scammers have been impersonating the SpaceX brand and its founder Elon Musk to promote bitcoin giveaway scams for a long time. Musk was also targeted by hackers in the most recent massive Twitter heist, while his name was also used to create fake YouTube channels to promote similar cryptocurrency scams.