November 14, 2023
RESTON, Va. — Anyone who has dealt with pests knows there’s no such thing as one mouse or one insect. The same might be said of the cybersecurity threat environment for space and aerospace.
The cyberthreat intelligence group Mandiant recently reported that it found multiple threat actors operating within a single victim environment in approximately 27% of compromise cases.
“When you start to think about, gee, maybe you detected one compromise, one threat actor, keep looking. That’s what the data is telling us,” Senior Vice President of Strategy and Alliances at Mandiant Erin Joe emphasized at CyberSatGov last week that in more than a quarter of cases.
Additionally, Mandiant has collected data indicating at least 1 in 10 companies will experience a cyber “reinfection,” underscoring the importance of persistent threat monitoring.
Joe noted that threat actors will sometimes break into a network and take information that they work on for years “to effectuate a worse compromise next time.” She continued, “This is already happening.”
The threat of an attack by multiple actors was reiterated by Tim Schaad, Vice President of Innovative Engineering at ManTech, who also spoke on a panel about proactively seeking out network vulnerabilities. “We’ve seen certain environments…where there were so many threat actors running around that they were stepping on each other. They were actually interfering with each other’s operations because they were all using the same resources.”
Overturning Assumptions About Adversary Capabilities
Since the hacking of Viasat’s KA-SAT network in 2022, space and aerospace leaders have begun to be more public in checking assumptions about the security of space systems and the capabilities of sophisticated threat actors. There is also a growing appreciation of the size of the attack surface—from legacy ground systems to satellite payloads, cloud-based applications to hardware, software and firmware.
Potential on-orbit vulnerabilities were highlighted in the past year, with researchers demonstrating the ability to take control of an ESA nanosatellite. Similarly, DEF CON hosted Hack-A-Sat 4, where more than 6,000 white hat hackers attacked and attempted to operate a 3U CubeSat.
According to security experts at CyberSatGov, threat actors are demonstrating increased capabilities. Exploits considered unthinkable several years ago are now being seen inside satellite operating environments, including breaching of firewalls as well as compromising edge devices, VPNs and hypervisors. Ethical hackers have demonstrated an ability to gain complete control of a satellite from an external location on the ground exploiting nothing greater than Category 3 (CAT 3) vulnerabilities, which are typically considered minor enough to be overlooked.
Dr. Ang Cui, Founder and Chief Scientist at Red Balloon, which specializes in firmware security solutions, described a satellite system breach that involved moving from machine to machine. “We were able to pivot from outside to the satellite in a typical ground control system setup without touching a single general purpose computer.”
Given the security conditions, it won’t take long for a company engaged in a threat hunting exercise to find vulnerabilities, Cui said. “The interesting question is, OK, now that you have this big old bucket of problems you found, what do you do? Which threat do you take care of first?”
Death by a Thousand Patches
…
Read the full article: https://www.kratosspace.com/constellations/articles/whats-in-your-network-multiple-threat-actors-found-in-single-victim-environment
