Helping the space industry stay aware of
incidents, threats & vulnerabilities

Briefing 38: Shai-Hulud Supply Chain Campaign Highlights Vulnerabilities in Open-Source Ecosystems

9/23/2025

Overview:

Throughout 2025, the Node Package Manager (NPM) ecosystem has been repeatedly targeted in fast-moving supply chain attacks. Threat actors have flooded the NPM registry with malicious packages, compromised maintainers, and disguised malware within widely used dependencies. By exploiting the trust placed in open-source repositories, attackers aim to gain access to continuous integration and continuous development (CI/CD) environments. These compromises pose a serious threat to research, development and operational activities across the global space sector, where software reliability and security are critical.

Shai-Hulud Attack:

On 15 September 2025, researchers identified more than 187 malicious packages uploaded to the NPM registry as part of an ongoing supply chain campaign. The attack, dubbed Shai-Hulud, involved a self-replicating worm designed to steal developer and maintainer credentials and publish them to GitHub.

The first wave of compromises began on 14 September, when attackers trojanized the popular @ctrl/tinycolor package alongside over 40 other NPM packages. Subsequent reporting from Socket confirmed additional compromises, including multiple CrowdStrike NPM packages that were later removed. At the time of this writing, Socket is tracking over 500 affected packages.

The worm’s functionality includes harvesting developer and cloud credentials, validating them, injecting malicious GitHub Actions workflows to establish persistence and exfiltrating secrets to attacker-controlled webhooks. These tactics align with a larger trend of open-source malware and targeted maintainer compromises that undermine CI/CD pipelines—workflows critical to the commercial space industry’s ability to develop, test and deploy software.

NPM and the Open-Source Supply Chain:

NPM is both a command-line tool and an online repository for JavaScript packages. Its widespread use across development teams and automated build systems makes it a high-value target for adversaries. A single malicious update can cascade across thousands of downstream projects and CI/CD pipelines.

Attackers therefore focus on maintainers, publishing credentials and CI systems to distribute malicious code at scale. This tactic has grown sharply in recent quarters. According to Sonatype’s 2025 Open Source Malware Index Report, open-source malware increased 188% year-over-year, with exfiltration-focused payloads now the dominant type. This surge means that nearly any organization relying on open-source packages risks encountering trojanized code during its development lifecycle.

Other Recent Examples:

Beyond Shai-Hulud, several other incidents illustrate the breadth of NPM-focused activity. In late August 2025, attackers exploited GitHub Actions to steal an NPM token, which they then used to publish malicious Nx packages. This compromise exposed thousands of secrets before mitigation measures were enacted. In early to mid-September, multiple popular packages, including debug, chalk and ansi-styles, were trojanized following a targeted phishing campaign against a maintainer. The attack enabled a credential- and crypto-stealer payload with the potential to affect millions of downstream developers.

In addition, prior campaigns attributed to foreign IT worker cluster known as Contagious Interviewand the broader Lazarus APT group leveraged typosquatting and custom loaders to distribute more than 60 malicious NPM packages.

These incidents collectively demonstrate adversaries’ reliance on phishing, social engineering and MFA bypasses to compromise maintainers, followed by the abuse of legitimate tools such as TruffleHog for secrets discovery and CI automation frameworks like GitHub Actions. Attribution remains complex, with activity ranging from opportunistic, financially motivated actors to more sophisticated, state-linked operators using NPM as an infrastructure vector.

Conclusion:

Taken together, these incidents highlight recurring characteristics of NPM supply chain compromises. First, they represent a novel but increasingly common avenue for adversaries to penetrate trusted ecosystems. Second, threat actors consistently exploit social engineering and phishing to bypass MFA safeguards and seize maintainer accounts. Third, they disguise malware within widely used packages to opportunistically target CI/CD environments at scale. Finally, the focus on developer workflows underscores a strategic effort to compromise the very processes that underpin software innovation.

The repeated targeting of NPM—alongside other repositories such as GitHub and PyPI—illustrates a repeatable and scalable model for supply chain attacks. For the space sector, which relies on rapid iteration, rigorous testing and secure software deployment, these attacks pose systemic risks. As adversaries continue to refine their techniques, building resilience into CI/CD pipelines and open-source dependencies will be essential to safeguarding mission-critical research and operations.

---

Briefing 37: Assessing LAMEHUG: The Evolution of Adversarial AI from Support Tool to Core Capability

8/26/2025

Overview:

Generative AI is reshaping the cyberthreat landscape as advanced persistent threats (APTs) and cybercriminals continue to integrate AI into their operations. While AI offers transformative benefits for cybersecurity defense, it also creates new risks when exploited by malicious actors. Initially, adversarial use of AI primarily enhanced existing methods by making traditional cyberattacks more efficient and scalable. Recent developments, however, point to a shift toward AI-driven malware that enables entirely new capabilities, marking a significant evolution in the threat environment.

Recent Assessments of Adversary use of AI

By late 2024 and early 2025, leading AI firms began publishing detailed accounts of adversarial AI misuse. In October 2024, OpenAI confirmed that threat actors had leveraged GPT models during the intermediate stages of cyberattacks. These models were not employed to develop novel malware, but rather to refine phishing lures, generate scripts and conduct reconnaissance. Similarly, in January 2025, Google Threat Intelligence reported that its Gemini platform was used by APT groups to support reconnaissance, resource development and evasion activities.

Both cases demonstrated how adversaries relied on generative AI to accelerate cyber operations. These efforts improved efficiency, lowered the barrier to conducting certain attack phases and increased scalability. Importantly, however, the misuse of commercial AI models during this period did not produce fundamentally new techniques. The threat landscape seemed to be shaped by incremental gains rather than by the introduction of entirely novel capabilities.

Nation State Activity:

The adoption of AI by nation-state actors largely followed established patterns of activity consistent with their geopolitical and strategic objectives. Iranian-linked groups accounted for the majority of observed AI-enabled intrusions, frequently using generative AI to enhance reconnaissance against defense organizations and to craft convincing spearphishing and influence operations. Chinese-backed actors integrated AI into privilege escalation, lateral movement and data exfiltration efforts, applying AI tools to increase stealth and effectiveness once access was obtained. North Korean actors used AI for fraudulent purposes, such as developing fake job applications to infiltrate organizations and acquiring infrastructure to support further intrusions.

By contrast, Russian actors had shown relatively limited engagement with AI up until mid-2025. This perception shifted dramatically with the discovery of a new AI-powered malware family attributed to APT28, signaling that Russian-linked groups are now willing to experiment with AI not just as a supporting tool but as the foundation of offensive operations.

LAMEHUG Malware:

In mid-2025, the Computer Emergency Response Team of Ukraine (CERT-UA) identified LAMEHUG, the first publicly confirmed AI-powered malware, and attributed its use to the Russian-backed APT28 group. LAMEHUG was distributed through phishing campaigns launched from compromised official accounts and targeted Ukrainian executive and defense authorities.

The malware is written in Python and is unique in that it integrates directly with Hugging Face’s Qwen 2.5-Coder-32B-Instruct model. Instead of relying on pre-coded commands, LAMEHUG uses the large language model to generate commands in real time based on plain-text prompts. CERT-UA observed the malware producing commands for reconnaissance, execution and data exfiltration, making it the first example of an AI system serving as the operational core of a malware framework. This marks a significant departure from earlier cases where AI was used to enhance supporting tasks such as phishing or scripting but not to drive attack execution itself.

Significance to the Space Industry:

The emergence of LAMEHUG represents a turning point in the cyberthreat landscape with direct implications for the space industry. For years, space organizations have faced persistent targeting by APT28 and other state-backed actors due to their close alignment with government, defense and critical infrastructure interests. By deploying AI-powered malware, adversaries can now adapt dynamically to highly specialized environments that are common across the space sector, including satellite ground stations, aerospace manufacturing facilities and operations networks that integrate both IT and OT components.

Traditional malware often struggles against bespoke systems or hardened environments because its commands must be prewritten and static. LAMEHUG changes this by introducing adaptability, enabling malware to generate commands on the fly in response to its environment. In a space industry context, this could allow adversaries to issue reconnaissance commands tailored to unique mission control systems, modify payload execution to bypass specialized defenses or exfiltrate sensitive technical data in ways optimized by AI-generated logic. This adaptability raises the likelihood that malware could penetrate supply chains, compromise engineering environments or persist within critical mission operations.

The broader convergence of nation-state experimentation with AI, exemplified by LAMEHUG, and the parallel rise of criminal AI tools such as GhostGPT underscores a widening spectrum of AI-enabled threats. Space organizations may soon face both highly adaptive espionage malware deployed by state adversaries and mass-produced AI-driven tools circulating in criminal ecosystems. For defenders, the lesson is clear: AI is no longer simply accelerating adversarial operations but is beginning to transform how attacks are executed. For the space industry, which sits at the intersection of government, defense and critical infrastructure, this evolution poses a direct and urgent risk.

---

Briefing 36: Targeting IT Services: How Social Engineering Campaigns Threaten the Space Sector

7/29/2025

Overview:

While the dialogue around security for the space sector often centers around sophisticated and destructive attacks, recent campaigns highlight a different but equally dangerous vector: the deliberate targeting of IT services and personnel through social engineering. This shift exploits the reality that many critical systems and identities depend on trusted IT help desks, external service providers and the global talent pipeline that supports development and operations.

Two ongoing campaigns illustrate how threat actors capitalize on this vector. The first is Scattered Spider, a financially motivated group that compromises organizations by impersonating employees and manipulating help desk processes. The second is the set of North Korean IT worker schemes, where actors linked to the Democratic People’s Republic of Korea infiltrate the global IT workforce by posing as legitimate remote developers while simultaneously deploying backdoors through the software supply chain.

Although neither campaign shows a deliberate, strategic focus on the space sector, both reveal techniques highly relevant to space organizations because of their heavy dependence on third-party IT services and highly specialized external talent.

Significance to the Space Sector:

Space companies increasingly rely on federated networks of contractors, managed security service providers (MSSPs) and cloud-based identity platforms such as single sign-on (SSO) and virtual desktop infrastructure (VDI). The technical complexity of these environments often outpaces security controls, while operational demands encourage flexibility and speed in hiring and onboarding specialized talent. This combination creates fertile ground for attackers who can bypass hardened perimeters simply by convincing someone in IT to grant access, or by being welcomed into the workforce itself.

The consequences of compromise can cascade quickly: Credentials reset by a manipulated help desk could enable lateral movement into ground control or mission planning systems. Similarly, a compromised developer could introduce malicious code into software supporting satellite command and control or data processing. In the space sector, where even small disruptions can have strategic and commercial impact, these threats demand serious attention.

North Korean IT Worker Threats:

North Korean IT worker campaigns remain active and have recently expanded in scope and scale, as documented by Google’s Threat Intelligence Group and recent IC3 advisories. These actors actively impersonate recruiters, engage in fake technical interviews and convince software developers to install test packages or clone repositories containing malware like BeaverTail and InvisibleFerret. Cisco Talos has recently documented a Python variant of GolangGhost RAT, showing the actors’ continued technical evolution.

In parallel, North Korean IT workers embed themselves as remote contractors within Western companies by submitting forged credentials and stolen identities. Once hired, they can access proprietary source code, deployment systems and internal chat tools, creating opportunities for direct financial gain and potential supply chain attacks. While these campaigns primarily aim to generate hard currency and support weapons development, they create pathways for broader espionage.

For space companies that depend on globally sourced software developers and contractors, these tactics are particularly concerning. Even without a declared strategic focus on space, the methods and objectives align closely with vulnerabilities present in complex space-sector IT ecosystems. These tactics were replicated in the “Dream Job” campaign that targeted the aerospace industry in November 2024.

Scattered Spider:

Scattered Spider, also tracked as Octo Tempest, demonstrates a different but equally effective approach to targeting IT services. The group actively collects employee data from leaks and open sources, then contacts help desks to impersonate legitimate staff and request password resets or multifactor authentication (MFA) resets. Using accurate personal information, they bypass security checks and gain access to cloud identity platforms like Microsoft Entra ID and SSO portals.

Once inside, they deploy ransomware such as ALPHV (BlackCat) and DragonForce, and sometimes use legitimate IT tools to deepen their foothold. Recent reporting shows that these operations are ongoing, and in July 2025, the group extended its targeting to aviation and transportation, including a high-profile attack on Qantas impacting roughly six million customers.

Originally, Scattered Spider targeted customer relationship management providers and IT service firms supporting business operations. Over time, they have broadened their reach to retail, hospitality, financial services and manufacturing. Though the group has not demonstrated a strategic focus on space, their pivot toward aviation and history of compromising IT providers underscores the possibility that high-profile space organizations relying on outsourced IT could be future targets.

The Convergence of Social Engineering and IT Targeting:

These campaigns converge on a single insight: By focusing on IT services and workforce pipelines, attackers can bypass even the most advanced technical defenses. Whether through direct impersonation of help desks or infiltration of the developer workforce, both approaches exploit organizational dependencies on trusted IT personnel and external partners.

For space organizations, the implications are clear. The combination of outsourced IT services, complex supply chains and reliance on highly specialized talent creates multiple opportunities for adversaries. Even when actors do not prioritize space as a strategic target, the shared infrastructure and service providers that connect industries mean that space organizations remain exposed.

Recent reports from leading security firms and government agencies confirm that these campaigns remain active and evolving. As space organizations modernize operations and deepen reliance on external IT and cloud services, defending against social engineering requires more than technical solutions. Strengthening verification processes at help desks, tightening contractor onboarding, monitoring for suspicious software dependencies and reinforcing employee awareness are all critical measures.

---

Briefing 35: Assessing How the Israel-Iran Conflict Impacts the Space Threat Landscape

7/1/2025

Overview:

Amid the ongoing Israel-Iran conflict, cyberspace has emerged as an increasingly active front, with notable spillover into critical infrastructure sectors. In the days following the initial escalation, both private-sector and government reporting confirmed a sharp increase in cyber activity—ranging from opportunistic hacktivist campaigns to more disruptive operations. The Information Technology-ISAC and the Food and Agriculture ISAC issued a joint alert warning of elevated cyber threats, underscoring the cross-sector impact of operations linked to the conflict.

Following a U.S. military strike on Iranian nuclear facilities, the Department of Homeland Security issued additional guidance, noting a rise in low-level cyber incidents attributed to pro-Iranian groups and warning that state-sponsored actors may exploit poorly secured network technologies to target U.S. infrastructure.

As in previous regional conflicts, space-related organizations, particularly those with ties to government and defense, have become key targets, absorbing both direct and indirect impacts from broader cyber and electronic warfare activity. This pattern mirrors past incidents, such as the aftermath of the October 7, 2023 attacks against Israel, when pro-Palestinian hacktivists targeted a variety of space infrastructure, from web servers to GNSS receivers.

On June 12, 2025, Israel launched a preemptive strike on Iranian military and nuclear sites, triggering a rapid escalation in hostilities. The following day, Iran retaliated with a wave of missile and drone attacks targeting Israeli military and intelligence infrastructure. As the kinetic conflict unfolded, a parallel front emerged in cyberspace—manifesting in increased cyberattacks and widespread GNSS interference affecting both regional and global operations.

Hacktivism and High-Noise Attacks:

Between June 12 and June 15, Radware reported a 700% surge in cyberattacks targeting Israeli infrastructure. These attacks included destructive operations, disinformation campaigns, distributed denial-of-service (DDoS) activity, and web defacements—many of which were low in sophistication but high in volume, consistent with common hacktivist tactics. Notably, analysis of these incidents reveals a recurring focus on the intersection of space and defense, with satellite operators, defense contractors, and national space agencies among the frequently named targets.

Between June 12 and June 26, at least 41 cyberattacks were claimed by various threat groups, reportedly affecting 36 space or space-adjacent organizations. While most of these targets were Israeli, several incidents extended to U.S. and U.K.-based companies and government agencies. Most of the claimed activity involved distributed denial-of-service (DDoS) attacks—tactics that, while not directly threatening to space system functionality, offer insight into the ideological motivations and target selection of pro-Iranian actors. There have been some indicators of potential escalation, such as unverified claims by the hacktivist group GhostSec, which alleged it had compromised 10 Israeli VSAT terminals. Despite the low confidence of the claims, they reflect how disruptive techniques may carry over to operationally relevant targets.

The volume and variety of hacktivist engagements also highlight a long-standing trend: politically motivated cyber actors often outlast the kinetic phases of conflict, continuing operations driven by ideology, affiliation, or retaliation. This is where a significant portion of the risk emerges: current cyber activity may serve as early-stage reconnaissance or testing, laying the groundwork for more impactful operations over time. As of June 22, CyberKnow reports 120 active hacktivist groups. Additional reporting indicates that cybercriminal groups and nation-state threats are also active.

GNSS Interference:

One of the most persistent and concerning developments in the wake of the June strikes has been the notable increase in GNSS interference across the Middle East. Multiple indicators—ranging from Notices to Airmen (NOTAMs) and Conflict Zone Information Bulletins (CZIBs) to commercial GNSS monitoring platforms—confirm a highly degraded signal environment since June 12.

These disruptions, though often short-lived (30 seconds to five minutes), have had tangible impacts on air and maritime navigation. Iranian Flight Information Regions (FIRs) have seen cessation of overflight traffic and remain high risk as the conflict continues. Maritime operations in the Strait of Hormuz, the Persian Gulf, the Arabian Sea, and the Red Sea report growing concerns over navigational reliability.

Historically, the region encompassing Israel, Iran, Iraq, and Lebanon has been a contested GNSS environment due to ongoing conflict and electronic warfare experimentation. But current levels of disruption reflect an unprecedented intensity—likely influenced by active jamming, spoofing, and broader electronic warfare activity aligned with military objectives.

For the space sector, this presents growing concern. Not only do satellite signals enable navigation, but the operational integrity of space systems—from launch telemetry to earth observation—relies on uninterrupted, precise GNSS functionality. Disruption at this scale and frequency adds volatility to an already complex threat landscape.

Conclusion:

As the Israel-Iran conflict evolves, space-sector stakeholders should prepare for sustained disruption—both in cyberspace and across the electromagnetic spectrum. Historical patterns suggest that politically driven hacktivist operations will persist beyond any temporary ceasefire or de-escalation. State-sponsored campaigns may adapt their tactics to circumvent increasing defenses or target international partners seen as aligned with either side.

GNSS interference, often underreported or normalized in high-tension areas, is likely to continue at elevated levels—posing persistent risks to aerospace operations, satellite communications, and precision-guided systems.

While it is difficult to predict the trajectory of the broader conflict, one trend is clear: the space sector is a legitimate target for geopolitically motivated threat sources. These developments underscore how the space sector continues to absorb spillover from geopolitical tensions as a function of its strategic proximity and symbolic value. Recent assessments from U.S. cybersecurity agencies reaffirm this trend, noting that “Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.” The advisory highlights the Defense Industrial Base (DIB) as a sector of elevated risk, with particular emphasis on edge devices and operational technology (OT) systems, both of which play critical roles in the development and operation of space infrastructure.

---

Briefing 34: Beyond the Breach: Assessing Downstream Risk from Interlock Ransomware

6/3/2025

Overview:

On May 13, 2025, the Interlock ransomware group made headlines with its latest target National Defense Corporation (NDC) and its subsidiary, AMTEC. Interlock is a relatively new ransomware outfit, first appearing in September 2024 and garnering attention due to their targeting of high-profile entities, which researchers refer to as “big-game hunting.” This recent attack demonstrates an evolution in scope for the group, and corroborating analysis from security firm Resecurity helps break down the far-reaching impacts incidents of this nature may have on the Defense Industrial Base (DIB) and broader stakeholders.

According to the group’s own claims on their leak site, Interlock exfiltrated a staggering 4.2 terabytes of data from NDC systems. This trove reportedly contains nearly 3 million files across 450,000 folders, including 1.6 GB housed in a folder labeled Customer Files. Among the exposed documents are references to top-tier defense contractors and space stakeholders—though the full scope and authenticity of the data remain under review.

The incident was initially disclosed by DataBreaches.net on March 31, 2025, and later confirmed in a regulatory filing by NDC’s parent company, National Presto Industries.

About Interlock Ransomware:

The Interlock group first emerged in September 2024 and quickly developed a reputation for targeting high-value sectors. Although it had not previously shown interest in space-related organizations, its targeting of NDC and AMTEC may signal a shift. Resecurity analysts believe this was a deliberate and targeted operation, potentially with nation-state backing—though conclusive attribution remains unconfirmed.

Interlock’s tradecraft, as detailed in an April 2024 Cisco Talos report, includes the use of remote access tools, commodity malware, and custom scripts to gain and maintain access. Notably, the group employs:

• PowerShell downloaders and batch scripts for staging and payload execution
• Legitimate IT tools such as AnyDesk and Remote Utilities for stealthy lateral movement
• AES-encrypted containers to conceal exfiltrated data
• Anti-analysis techniques that check for sandboxes or virtualized environments

These tactics align with MITRE ATT&CK techniques such as T1078 (Valid Accounts), T1059.001 (PowerShell), and T1497 (Virtualization/Sandbox Evasion), underscoring the sophistication of the group’s operations.

While many elements of Interlock’s behavior point to financially motivated cybercrime, its choice of target and the strategic value of the exfiltrated data suggest broader implications.

Significance to Space:

While ransomware attacks frequently target smaller organizations, breaches like the one involving NDC demonstrate how cybercriminal groups increasingly view the DIB as a lucrative and strategic target. Attacks on Original Equipment Manufacturers (OEMs), suppliers, and subcontractors not only disrupt operations but also expose sensitive data about customers, contracts, and interdependencies—data that could be weaponized in future cyber campaigns.

The cascading effects of such incidents can be severe: supply chain partners are put at risk, military program timelines can be disrupted, and sensitive business relationships are impacted. Even when classified data is not directly compromised, the exposure of contract documents, procurement records, and other non-public information offers adversaries a roadmap of the defense ecosystem. The exfiltrated data published by Interlock, and analyzed by Resecurity, contains data belonging to several key stakeholders in the global space industry.

Conclusion:

This incident underscores how ransomware attacks on suppliers, OEMs and distributors can cause cascading operational and reputational impacts to defense contractors and other customers within commercial and military space. Ransomware groups engaging in double extortion operations often view DIB entities as valuable, high-profile targets due to the potential for enumerating their network of suppliers for future attacks. Government and military-related datasets are often touted on dark web marketplaces as valuable resources for other hacking groups and cybercriminals.

Space ISAC continues to monitor developments and encourages all stakeholders to evaluate their exposure to third-party risk, adopt a zero-trust architecture, and share intelligence proactively. As ransomware operations like Interlock increasingly target manufacturers and affiliated entities, it's critical to recognize that even indirect compromises can expose sensitive, non-public information—potentially enabling threat actors to expand their scope, escalate extortion efforts, and conduct intelligence gathering against space and defense organizations that may have previously been beyond their immediate reach.

---

Briefing 33: Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict

5/6/2025

Overview:

On 25 March 2025, DomainTools Investigations (DTI) uncovered a large-scale phishing campaign targeting defense and aerospace organizations tied to the ongoing Russia-Ukraine conflict. The campaign employed a dynamic phishing infrastructure comprising a small number of mail servers and spoofed domains crafted to mimic well-known defense contractors and government entities. The phishing infrastructure was used to host fraudulent webmail login pages designed to harvest employee credentials, likely as part of a broader cyber espionage effort.

While no specific threat actor has yet been publicly attributed to this activity, the tactics, techniques and procedures (TTPs) observed—including targeted spear-phishing, spoofed domains and webmail credential harvesting—align closely with the hallmarks of state-sponsored cyber espionage. In this case, geopolitical motivations related to the Russia-Ukraine war strongly suggest alignment with pro-Russian interests, either from Russian intelligence services or affiliated advanced persistent threat (APT) groups.

Infrastructure Details:

The phishing campaign was first detected through the spoofed domain kroboronprom[.]com, which impersonated Ukroboronprom, Ukraine’s largest state-owned defense conglomerate. As a cornerstone of Ukraine’s defense sector, Ukroboronprom represents a highly attractive target for intelligence collection. The attackers leveraged the domain to deploy a fake webmail login page—built using Mailu—to trick employees into entering their corporate credentials.

Subsequent investigation using DomainTools Iris revealed a broader infrastructure that included multiple spoofed domains registered via Spaceship and hosted through GHOSTnet VPS, a provider previously observed in cybercrime infrastructure. These domains were connected through a small set of mail servers that appeared purpose-built to support high-volume phishing operations. Notably, the infrastructure included domains like cryptshare.rheinemetall[.]com, masquerading as a secure file-sharing platform likely used to distribute malware or capture sensitive files under the guise of legitimate business processes.

In total, researchers linked 923 spoofed domains to the campaign, targeting at least 13 organizations across the defense, aerospace and IT sectors. Many of these entities are considered defense primes or critical suppliers within NATO countries, particularly the United Kingdom and broader European Union.

Significance to the Space Sector:

This campaign provides a clear illustration of the evolving cyber threat landscape facing satellite communications companies and broader space sector stakeholders. As modern warfare becomes increasingly reliant on space-based assets for communications, navigation, intelligence, surveillance and reconnaissance (ISR), these entities have become priority targets for both direct attacks and supply chain infiltration.

While the campaign’s focus appears to be on defense and aerospace firms supporting Ukraine’s war effort, many of the spoofed domains and targeted entities are deeply embedded in the global space sector. Satellite operators, ground segment providers and defense contractors often share overlapping infrastructure and partnerships, creating opportunities for lateral movement once initial access is gained. Phishing remains a primary vector for achieving this initial compromise, as attackers exploit trust in established communications channels—often by impersonating familiar vendors, partners or even internal contacts.

The use of dynamic, modular phishing infrastructure, as seen in this campaign, allows threat actors to pivot quickly between targets, register new domains rapidly and continuously refresh their tactics to evade detection. This agility poses unique challenges for satellite operators, which must secure a diverse and globally distributed network of suppliers, contractors and partners.

Threat Actor Tradecraft: Masquerading as Trusted Vendors:

A notable feature of this campaign—and a broader trend in modern cyber operations—is the use of impersonation tactics to breach supply chains. By spoofing domains of trusted vendors, secure file-sharing platforms and internal mail systems, attackers aim to bypass initial defenses and leverage the trust built between organizations and their suppliers.

The space sector is home to a wide array of international collaborators and subcontractors, many of which make up the supply chain and underscore the risk of vendor impersonation. A compromised vendor can serve as a foothold to escalate privileges, move laterally within larger networks and access sensitive satellite control systems, intellectual property or even mission-critical data.

Conclusion:

The phishing campaign uncovered by DomainTools is a significant example of how geopolitical tensions drive sophisticated cyber threat activity against high-value targets. As the space and satellite communications sectors continue to expand their critical role in defense and national security, they must anticipate and defend against increasingly targeted and adaptive threats. Strengthening defenses across both technical and human layers, maintaining vigilance over supply chain security and actively contributing to collective defense through intelligence sharing are essential steps in mitigating the risk of compromise and ensuring mission continuity.

---

Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.