Helping the space industry stay aware of
incidents, threats & vulnerabilities

Briefing 41: Distributed Jamming and the Implications for Commercial Space

12/16/2025

Overview:

Recent academic research has introduced a new theoretical model for disrupting satellite communications using large swarms of airborne jamming platforms. While not an operational capability, the study reflects a growing interest in exploring scalable electronic warfare (EW) concepts tailored to counter modern low Earth orbit (LEO) broadband constellations. As the commercial space sector becomes more deeply integrated into critical services, research of this nature warrants attention, highlighting how adversaries may attempt to offset the resilience advantages enjoyed by satellite mega-constellations today.

China’s strategic community has long studied anti-satellite options through kinetic, cyber and electromagnetic means. Historically, most attention has focused on directed-energy systems, ground-based jammers and kinetic interceptors such as the FY-1C test in 2007. But as commercial LEO networks proliferate and demonstrate high redundancy, researchers are now exploring distributed, persistent and lower-cost EW concepts that could theoretically degrade services across wide areas. This evolution underscores a broader shift in counter-space strategy away from single-point, high-power systems toward networked, adaptive interference architectures—mirroring the very design principles that give modern constellations their resilience.

Summary of the Recent Research:

In November 2025, a peer-reviewed paper published in Systems Engineering and Electronics described simulation-based modeling of a distributed jamming network designed to disrupt mega constellation downlink communications. Conducted by teams from Zhejiang University and the Beijing Institute of Technology, the study examined how a large fleet of airborne jammers could interfere with satellite links over an area approximating the size of Taiwan.

The researchers used publicly available orbital data to simulate Starlink satellite positions, signal behaviors, and link variability across a 12-hour period, capturing the constellation’s dynamic mesh architecture. Their model tested both narrow-beam and wide-beam jammers and evaluated how a synchronized grid of drones could generate a high noise environment. Key findings from the research included countermeasures to Starlink’s decentralized architecture via a large-scale, distributed grid of jammers that could cause meaningful degradation of constellation performance. Theoretical minimum requirements call for at least 935 jammers, but real-world operations would likely require 1,000 to 2,000 nodes to achieve meaningful effect. The researchers did not assess how the PLA might protect such a fleet from air defenses, how long it would need to operate to produce strategic impact or what logistical footprint would be required to sustain operations.

Evolution of Electronic Warfare and Anti-Satellite Applications:

While speculative, the study aligns with several ongoing trends in China’s commercial and defense ecosystem. Over the past three years, China has experienced a surge in space-related companies, largely focused on small satellites, electronic payloads and dual-use technologies.

China’s November 2025 back-to-back orbital missions further demonstrate accelerating experimentation with distributed architectures, autonomy and on-orbit maneuverability. In parallel, Chinese policymakers have openly expressed concern about foreign LEO broadband constellations enabling resilient wartime communication, reinforced by lessons from the Russia-Ukraine conflict. Chinese strategists have also emphasized the need for countermeasures that do not escalate to high-visibility kinetic anti-satellite actions, suggesting that scalable EW approaches may be an increasingly attractive area of inquiry.

The concept of targeting satellite communications via electronic interference is not new. During the Cold War, both the United States and Soviet Union developed uplink and downlink jammers to disrupt military satellites in geostationary orbits. More recent examples include the fielding of ground-based jammers capable of interfering with GPS and sites capable of localized interference against LEO links. These systems, however, traditionally rely on fixed sites or a small number of high-power emitters. The newly published Chinese research departs from that model by exploring a mega-scale, airborne and distributed EW grid mirroring the move to large scale constellations of satellites. This is significant because distributed EW mirrors the broader trend toward resiliency through redundancy; adversaries are now studying how to apply the same principles against LEO systems themselves.

Significance to the Commercial Space Industry:

For LEO broadband operators, the research highlights an emerging class of theoretical threats that differ substantially from legacy jamming models. Satellite constellations are designed to route around localized interference, drop compromised links and maintain user connectivity through multi-path redundancy. But a synchronized, region-scale jamming grid could stress that redundancy by overwhelming multiple downlink paths simultaneously.

While the scale required makes this scenario difficult to execute, its mere consideration within Chinese academic circles suggests the PLA is assessing how distributed EW could offset the inherent advantages of commercial mega-constellations. For operators supporting defense, humanitarian, maritime or government clients, this reinforces the need to invest in adaptive anti-jam waveforms, crosslink prioritization, dynamic power allocation and multi-orbit interoperability.

Ultimately, the study reinforces concerns over the evolution of electronic warfare capabilities, and signals the potential development into redundant systems capable of degrading LEO constellation performance. For the commercial space sector, particularly LEO broadband providers, it underscores that future EW challenges may arise not from isolated high-power systems but from distributed, persistent and unconventional architectures designed to exploit the very resilience features that define today’s satellite networks.

---

Briefing 40: Operation DreamJob Expands Targeting of Europe’s Aerospace Sector

11/18/2025

Overview:

On 23 October 2025, new reporting revealed another coordinated wave of intrusions linked to Lazarus Group’s long-running “Operation DreamJob,” marking the latest escalation in cyber espionage activities against Europe’s aerospace and defense sectors. Lazarus is a cluster of North Korean-based cyber actors and is assessed as one of the most prolific advanced persistent threat (APT) groups. They have sustained a years-long series of cyber operations combining targeted social engineering, supply-chain abuse and stealthy multi-stage malware delivery.

The most recent activity reinforces a trend with direct relevance to the satellite communications industry: Threat actors are increasingly blending professional networking deception with developer-tool compromise to infiltrate sensitive engineering environments.

In the campaign observed this October, Lazarus operators posed as recruiters offering lucrative positions to mid- and senior-level engineers. Victims were contacted through LinkedIn or polished email correspondence mimicking legitimate hiring processes. Once engaged, targets received PDFs posing as job descriptions or interview materials. Opening these files initiated multi-stage loader chains delivering malware families that enabled reconnaissance, data theft and persistent access. According to ESET, victims spanned a metal engineering company in Southeastern Europe, an aircraft components manufacturer in Central Europe and a Central-European defense contractor—industries whose intellectual property holds long-term strategic value for Lazarus actors.

Operation DreamJob and Social Engineering:

Operation DreamJob pairs trust-based social engineering with technically adept malware delivery. Lazarus operators build credible recruiter identities, replicate real interview workflows and distribute professionally formatted documents to establish legitimacy. When victims open the malicious PDFs, embedded scripts initiate loader execution designed to bypass common endpoint defenses. This smooth transition from human manipulation to technical compromise is a defining feature of the campaign.

Once initial execution occurs, DreamJob proceeds through several controlled stages that minimize detection and enable tailored exploitation. Dropper components first fetch additional payloads from attacker infrastructure, followed by secondary implants that conduct reconnaissance, credential capture, and movement within the network. These implants then establish persistent access through registry, service, or scheduled task modification. Finally, data exfiltration occurs through encrypted channels or covert DNS, allowing Lazarus to extract proprietary engineering data and sensitive system information. This modular, multi-stage architecture allows the operators to remain hidden for extended periods and refine payloads to match the technical environment of each victim.

Impact on the Space Sector:

Although the latest reporting centers on terrestrial aerospace entities, the operational tradecraft directly maps to risks affecting satellite communications providers, component manufacturers and space-sector integrators. In 2024, ClearSky cybersecurity reported a DreamJob campaign targeting similar industry verticals in aviation, defense and aerospace. These environments share similar characteristics: globally distributed development teams, reliance on specialized engineering roles, extensive use of open-source tooling and multi-tier supply chains spanning both IT and OT domains. As these ecosystems converge, the attack surface expands accordingly.

State sponsored APT groups have consistently pursued foreign aerospace, sensor and propulsion technologies to advance military and space capabilities, and many groups have adapted social engineering TTPs similar to DreamJob over the past several years. Satellite communications infrastructure, particularly systems supporting imaging, navigation and command-and-control, aligns closely with those priorities. As commercial space assets become increasingly intertwined with defense operations and dual-use applications, the incentive to target upstream space-sector engineering workflows continues to grow.

Conclusion:

Operation DreamJob aligns with a broader trend in which North Korean threat actors exploit global remote-work and hiring practices to gain technical access. Recent analyses from Google’s Threat Analysis Group, the FBI and international CERTs have highlighted related campaigns in which adversaries impersonate recruiters, conduct fake technical interviews and distribute test packages or repositories embedded with malware families such as BeaverTail and InvisibleFerret. These operations are supported by a rapidly evolving toolset, including Python-based variants of previously Go-based implants like GolangGhost, demonstrating sustained adaptation in both programming languages and loader architectures.

A parallel line of activity involves workers embedding themselves directly as remote contractors within Western companies using forged identities and falsified résumés. Once inside, they obtain access to source-code repositories, deployment systems, internal communication platforms and cloud-hosted development environments. Although many of these operations focus on generating revenue for the regime, they routinely create access points that enable broader espionage and supply-chain compromise. DreamJob and related IT-worker campaigns collectively demonstrate how sophisticated state-sponsored actors are actively using a combination of social engineering tactics and multi-tiered malware payloads to infiltrate the lifecycles relevant to the development and production of space systems.

---

Briefing 39: RedNovember Expands Global Espionage Campaign to Target Aerospace and Space Sectors

10/21/2025

Overview:

On September 24, 2025, researchers from Recorded Future’s Insikt Group published a report exposing new activity from a Chinese state-sponsored advanced persistent threat (APT) group tracked as RedNovember. Previously identified as TAG-100, the group has continued to evolve its tradecraft and broaden its targeting scope, conducting sophisticated cyber-espionage operations against both government and private sector entities. Recent analysis indicates that RedNovember’s interests now prominently include the defense, aerospace, and space industries, marking a significant escalation in their global operations.

Expanding Scope and Tactical Evolution:

Initially observed in mid-2024 targeting Asia-Pacific intergovernmental bodies, RedNovember leveraged open-source tools and public exploits to gain access to vulnerable networks. Since then, their campaigns have expanded geographically and strategically, targeting entities across the U.S. Defense Industrial Base (DIB) and European space organizations. The group’s methods closely align with other China-nexus APTs, including Salt Typhoon, Volt Typhoon and Silk Typhoon, which are known to exploit perimeter devices and edge infrastructure to maintain persistence and evade detection.

RedNovember has demonstrated consistent interest in exploiting popular edge devices from major vendors such as Cisco, Palo Alto Networks, SonicWall, Fortinet, F5 and Sophos. These technologies have all been impacted by widely publicized vulnerabilities in recent years, many of which were later weaponized by both state and non-state actors. By exploiting these known weaknesses, RedNovember minimizes development costs while maximizing operational impact.

The group’s exploitation of these perimeter technologies also underscores a persistent challenge in enterprise cybersecurity: the lag between public disclosure of vulnerabilities and widespread patch adoption. Their ability to capitalize on these gaps exemplifies how threat actors are effectively combining weaponized proof-of-concept (PoC) exploits with open-source post-exploitation frameworks such as Pantegana, a Go-based backdoor and Cobalt Strike. This approach reduces technical barriers for operators and enables more advanced actors to conceal their involvement by avoiding the use of bespoke malware.

Attack Pattern and Sophistication:

RedNovember’s preference for open-source and commercially available command-and-control (C2) frameworks provides a layer of deniability and complicates attribution. Their operations often blend into the background noise of legitimate red team or penetration testing activity, making detection and source attribution significantly more difficult.

This tradecraft reflects a broader shift among state-sponsored actors toward leveraging publicly available tooling. Such strategies not only obscure attribution but also reduce operational costs, allowing for sustained campaigns against multiple targets. The use of frameworks like Pantegana and Cobalt Strike further suggests an emphasis on operational agility and flexibility across global infrastructures.

Impact to the Space Sector:

RedNovember’s expanding focus on the space domain adds a critical dimension to their evolving threat profile. In April 2025, Insikt Group identified communications between a RedNovember reconnaissance and exploitation server and infrastructure tied to a European space-focused research center. The group also conducted port scanning and reconnaissance activity targeting prominent U.S. aerospace and defense organizations in July 2024, signaling a deliberate effort to map and probe critical assets within this sector.

While no confirmed exploitation resulted from those early probes, subsequent campaigns in early 2025 suggest that RedNovember transitioned from reconnaissance to active compromise attempts, particularly against organizations associated with aerospace engineering, satellite communications, and defense manufacturing.

In March 2025, for instance, Insikt Group observed a RedNovember-controlled IP address interacting with a SonicWall SSL-VPN instance belonging to a U.K.-based manufacturer specializing in bespoke cable harnessing for aerospace and defense applications. This targeting activity reflects a growing emphasis on compromising vendors integral to the aerospace and space supply chain, a recurring theme among APT operations in recent years.

Operational Overlaps and Strategic Continuity:

RedNovember’s campaigns exhibit operational overlaps with several unnamed clusters previously documented by Proofpoint, including UNK_DropPitch, UNK_FistBump, UNK_SparkyCarp and UNK_ColtCentury. These clusters share common targeting patterns, particularly against Taiwan’s semiconductor industry, and demonstrate a unified strategic objective of gathering intelligence across sectors critical to national and technological development.

Recorded Future’s earlier reporting from May 2024 linked TAG-100 (now RedNovember) to cyber-espionage operations against two prominent Asia-Pacific government bodies, providing continuity between the group’s regional focus and its newer campaigns across Europe and North America. These overlaps reinforce the assessment that RedNovember operates as part of a larger ecosystem of cyber-espionage actors, sharing infrastructure, tooling, and objectives across multiple operational clusters.

Conclusion:

RedNovember’s continued evolution underscores a key strategic trend in sophisticated cyber operations: the use of low-cost, high-efficacy methods to pursue broad intelligence-gathering objectives across sectors that underpin national security and technological dominance. By exploiting readily available exploits and tools, RedNovember achieves both scalability and plausible deniability, which are key attributes of a sophisticated threat.

For the space and defense sectors, this campaign serves as another reminder that edge devices and remote access solutions remain prime attack surfaces, particularly as organizations expand hybrid and distributed operations. The group’s consistent focus on these technologies demonstrates not only their tactical value but also their potential as gateways into highly sensitive networks.

---

Briefing 38: Shai-Hulud Supply Chain Campaign Highlights Vulnerabilities in Open-Source Ecosystems

9/23/2025

Overview:

Throughout 2025, the Node Package Manager (NPM) ecosystem has been repeatedly targeted in fast-moving supply chain attacks. Threat actors have flooded the NPM registry with malicious packages, compromised maintainers, and disguised malware within widely used dependencies. By exploiting the trust placed in open-source repositories, attackers aim to gain access to continuous integration and continuous development (CI/CD) environments. These compromises pose a serious threat to research, development and operational activities across the global space sector, where software reliability and security are critical.

Shai-Hulud Attack:

On 15 September 2025, researchers identified more than 187 malicious packages uploaded to the NPM registry as part of an ongoing supply chain campaign. The attack, dubbed Shai-Hulud, involved a self-replicating worm designed to steal developer and maintainer credentials and publish them to GitHub.

The first wave of compromises began on 14 September, when attackers trojanized the popular @ctrl/tinycolor package alongside over 40 other NPM packages. Subsequent reporting from Socket confirmed additional compromises, including multiple CrowdStrike NPM packages that were later removed. At the time of this writing, Socket is tracking over 500 affected packages.

The worm’s functionality includes harvesting developer and cloud credentials, validating them, injecting malicious GitHub Actions workflows to establish persistence and exfiltrating secrets to attacker-controlled webhooks. These tactics align with a larger trend of open-source malware and targeted maintainer compromises that undermine CI/CD pipelines—workflows critical to the commercial space industry’s ability to develop, test and deploy software.

NPM and the Open-Source Supply Chain:

NPM is both a command-line tool and an online repository for JavaScript packages. Its widespread use across development teams and automated build systems makes it a high-value target for adversaries. A single malicious update can cascade across thousands of downstream projects and CI/CD pipelines.

Attackers therefore focus on maintainers, publishing credentials and CI systems to distribute malicious code at scale. This tactic has grown sharply in recent quarters. According to Sonatype’s 2025 Open Source Malware Index Report, open-source malware increased 188% year-over-year, with exfiltration-focused payloads now the dominant type. This surge means that nearly any organization relying on open-source packages risks encountering trojanized code during its development lifecycle.

Other Recent Examples:

Beyond Shai-Hulud, several other incidents illustrate the breadth of NPM-focused activity. In late August 2025, attackers exploited GitHub Actions to steal an NPM token, which they then used to publish malicious Nx packages. This compromise exposed thousands of secrets before mitigation measures were enacted. In early to mid-September, multiple popular packages, including debug, chalk and ansi-styles, were trojanized following a targeted phishing campaign against a maintainer. The attack enabled a credential- and crypto-stealer payload with the potential to affect millions of downstream developers.

In addition, prior campaigns attributed to foreign IT worker cluster known as Contagious Interviewand the broader Lazarus APT group leveraged typosquatting and custom loaders to distribute more than 60 malicious NPM packages.

These incidents collectively demonstrate adversaries’ reliance on phishing, social engineering and MFA bypasses to compromise maintainers, followed by the abuse of legitimate tools such as TruffleHog for secrets discovery and CI automation frameworks like GitHub Actions. Attribution remains complex, with activity ranging from opportunistic, financially motivated actors to more sophisticated, state-linked operators using NPM as an infrastructure vector.

Conclusion:

Taken together, these incidents highlight recurring characteristics of NPM supply chain compromises. First, they represent a novel but increasingly common avenue for adversaries to penetrate trusted ecosystems. Second, threat actors consistently exploit social engineering and phishing to bypass MFA safeguards and seize maintainer accounts. Third, they disguise malware within widely used packages to opportunistically target CI/CD environments at scale. Finally, the focus on developer workflows underscores a strategic effort to compromise the very processes that underpin software innovation.

The repeated targeting of NPM—alongside other repositories such as GitHub and PyPI—illustrates a repeatable and scalable model for supply chain attacks. For the space sector, which relies on rapid iteration, rigorous testing and secure software deployment, these attacks pose systemic risks. As adversaries continue to refine their techniques, building resilience into CI/CD pipelines and open-source dependencies will be essential to safeguarding mission-critical research and operations.

---

Briefing 37: Assessing LAMEHUG: The Evolution of Adversarial AI from Support Tool to Core Capability

8/26/2025

Overview:

Generative AI is reshaping the cyberthreat landscape as advanced persistent threats (APTs) and cybercriminals continue to integrate AI into their operations. While AI offers transformative benefits for cybersecurity defense, it also creates new risks when exploited by malicious actors. Initially, adversarial use of AI primarily enhanced existing methods by making traditional cyberattacks more efficient and scalable. Recent developments, however, point to a shift toward AI-driven malware that enables entirely new capabilities, marking a significant evolution in the threat environment.

Recent Assessments of Adversary use of AI

By late 2024 and early 2025, leading AI firms began publishing detailed accounts of adversarial AI misuse. In October 2024, OpenAI confirmed that threat actors had leveraged GPT models during the intermediate stages of cyberattacks. These models were not employed to develop novel malware, but rather to refine phishing lures, generate scripts and conduct reconnaissance. Similarly, in January 2025, Google Threat Intelligence reported that its Gemini platform was used by APT groups to support reconnaissance, resource development and evasion activities.

Both cases demonstrated how adversaries relied on generative AI to accelerate cyber operations. These efforts improved efficiency, lowered the barrier to conducting certain attack phases and increased scalability. Importantly, however, the misuse of commercial AI models during this period did not produce fundamentally new techniques. The threat landscape seemed to be shaped by incremental gains rather than by the introduction of entirely novel capabilities.

Nation State Activity:

The adoption of AI by nation-state actors largely followed established patterns of activity consistent with their geopolitical and strategic objectives. Iranian-linked groups accounted for the majority of observed AI-enabled intrusions, frequently using generative AI to enhance reconnaissance against defense organizations and to craft convincing spearphishing and influence operations. Chinese-backed actors integrated AI into privilege escalation, lateral movement and data exfiltration efforts, applying AI tools to increase stealth and effectiveness once access was obtained. North Korean actors used AI for fraudulent purposes, such as developing fake job applications to infiltrate organizations and acquiring infrastructure to support further intrusions.

By contrast, Russian actors had shown relatively limited engagement with AI up until mid-2025. This perception shifted dramatically with the discovery of a new AI-powered malware family attributed to APT28, signaling that Russian-linked groups are now willing to experiment with AI not just as a supporting tool but as the foundation of offensive operations.

LAMEHUG Malware:

In mid-2025, the Computer Emergency Response Team of Ukraine (CERT-UA) identified LAMEHUG, the first publicly confirmed AI-powered malware, and attributed its use to the Russian-backed APT28 group. LAMEHUG was distributed through phishing campaigns launched from compromised official accounts and targeted Ukrainian executive and defense authorities.

The malware is written in Python and is unique in that it integrates directly with Hugging Face’s Qwen 2.5-Coder-32B-Instruct model. Instead of relying on pre-coded commands, LAMEHUG uses the large language model to generate commands in real time based on plain-text prompts. CERT-UA observed the malware producing commands for reconnaissance, execution and data exfiltration, making it the first example of an AI system serving as the operational core of a malware framework. This marks a significant departure from earlier cases where AI was used to enhance supporting tasks such as phishing or scripting but not to drive attack execution itself.

Significance to the Space Industry:

The emergence of LAMEHUG represents a turning point in the cyberthreat landscape with direct implications for the space industry. For years, space organizations have faced persistent targeting by APT28 and other state-backed actors due to their close alignment with government, defense and critical infrastructure interests. By deploying AI-powered malware, adversaries can now adapt dynamically to highly specialized environments that are common across the space sector, including satellite ground stations, aerospace manufacturing facilities and operations networks that integrate both IT and OT components.

Traditional malware often struggles against bespoke systems or hardened environments because its commands must be prewritten and static. LAMEHUG changes this by introducing adaptability, enabling malware to generate commands on the fly in response to its environment. In a space industry context, this could allow adversaries to issue reconnaissance commands tailored to unique mission control systems, modify payload execution to bypass specialized defenses or exfiltrate sensitive technical data in ways optimized by AI-generated logic. This adaptability raises the likelihood that malware could penetrate supply chains, compromise engineering environments or persist within critical mission operations.

The broader convergence of nation-state experimentation with AI, exemplified by LAMEHUG, and the parallel rise of criminal AI tools such as GhostGPT underscores a widening spectrum of AI-enabled threats. Space organizations may soon face both highly adaptive espionage malware deployed by state adversaries and mass-produced AI-driven tools circulating in criminal ecosystems. For defenders, the lesson is clear: AI is no longer simply accelerating adversarial operations but is beginning to transform how attacks are executed. For the space industry, which sits at the intersection of government, defense and critical infrastructure, this evolution poses a direct and urgent risk.

---

Briefing 36: Targeting IT Services: How Social Engineering Campaigns Threaten the Space Sector

7/29/2025

Overview:

While the dialogue around security for the space sector often centers around sophisticated and destructive attacks, recent campaigns highlight a different but equally dangerous vector: the deliberate targeting of IT services and personnel through social engineering. This shift exploits the reality that many critical systems and identities depend on trusted IT help desks, external service providers and the global talent pipeline that supports development and operations.

Two ongoing campaigns illustrate how threat actors capitalize on this vector. The first is Scattered Spider, a financially motivated group that compromises organizations by impersonating employees and manipulating help desk processes. The second is the set of North Korean IT worker schemes, where actors linked to the Democratic People’s Republic of Korea infiltrate the global IT workforce by posing as legitimate remote developers while simultaneously deploying backdoors through the software supply chain.

Although neither campaign shows a deliberate, strategic focus on the space sector, both reveal techniques highly relevant to space organizations because of their heavy dependence on third-party IT services and highly specialized external talent.

Significance to the Space Sector:

Space companies increasingly rely on federated networks of contractors, managed security service providers (MSSPs) and cloud-based identity platforms such as single sign-on (SSO) and virtual desktop infrastructure (VDI). The technical complexity of these environments often outpaces security controls, while operational demands encourage flexibility and speed in hiring and onboarding specialized talent. This combination creates fertile ground for attackers who can bypass hardened perimeters simply by convincing someone in IT to grant access, or by being welcomed into the workforce itself.

The consequences of compromise can cascade quickly: Credentials reset by a manipulated help desk could enable lateral movement into ground control or mission planning systems. Similarly, a compromised developer could introduce malicious code into software supporting satellite command and control or data processing. In the space sector, where even small disruptions can have strategic and commercial impact, these threats demand serious attention.

North Korean IT Worker Threats:

North Korean IT worker campaigns remain active and have recently expanded in scope and scale, as documented by Google’s Threat Intelligence Group and recent IC3 advisories. These actors actively impersonate recruiters, engage in fake technical interviews and convince software developers to install test packages or clone repositories containing malware like BeaverTail and InvisibleFerret. Cisco Talos has recently documented a Python variant of GolangGhost RAT, showing the actors’ continued technical evolution.

In parallel, North Korean IT workers embed themselves as remote contractors within Western companies by submitting forged credentials and stolen identities. Once hired, they can access proprietary source code, deployment systems and internal chat tools, creating opportunities for direct financial gain and potential supply chain attacks. While these campaigns primarily aim to generate hard currency and support weapons development, they create pathways for broader espionage.

For space companies that depend on globally sourced software developers and contractors, these tactics are particularly concerning. Even without a declared strategic focus on space, the methods and objectives align closely with vulnerabilities present in complex space-sector IT ecosystems. These tactics were replicated in the “Dream Job” campaign that targeted the aerospace industry in November 2024.

Scattered Spider:

Scattered Spider, also tracked as Octo Tempest, demonstrates a different but equally effective approach to targeting IT services. The group actively collects employee data from leaks and open sources, then contacts help desks to impersonate legitimate staff and request password resets or multifactor authentication (MFA) resets. Using accurate personal information, they bypass security checks and gain access to cloud identity platforms like Microsoft Entra ID and SSO portals.

Once inside, they deploy ransomware such as ALPHV (BlackCat) and DragonForce, and sometimes use legitimate IT tools to deepen their foothold. Recent reporting shows that these operations are ongoing, and in July 2025, the group extended its targeting to aviation and transportation, including a high-profile attack on Qantas impacting roughly six million customers.

Originally, Scattered Spider targeted customer relationship management providers and IT service firms supporting business operations. Over time, they have broadened their reach to retail, hospitality, financial services and manufacturing. Though the group has not demonstrated a strategic focus on space, their pivot toward aviation and history of compromising IT providers underscores the possibility that high-profile space organizations relying on outsourced IT could be future targets.

The Convergence of Social Engineering and IT Targeting:

These campaigns converge on a single insight: By focusing on IT services and workforce pipelines, attackers can bypass even the most advanced technical defenses. Whether through direct impersonation of help desks or infiltration of the developer workforce, both approaches exploit organizational dependencies on trusted IT personnel and external partners.

For space organizations, the implications are clear. The combination of outsourced IT services, complex supply chains and reliance on highly specialized talent creates multiple opportunities for adversaries. Even when actors do not prioritize space as a strategic target, the shared infrastructure and service providers that connect industries mean that space organizations remain exposed.

Recent reports from leading security firms and government agencies confirm that these campaigns remain active and evolving. As space organizations modernize operations and deepen reliance on external IT and cloud services, defending against social engineering requires more than technical solutions. Strengthening verification processes at help desks, tightening contractor onboarding, monitoring for suspicious software dependencies and reinforcing employee awareness are all critical measures.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.