The infiltration was only spotted and stopped after the hackers roamed the network undetected for almost a year.
The United States’ National Aeronautics and Space Administration, better known as NASA, suffered a security incident recently that saw hackers make off with sensitive data relating to the agency’s Mars missions, including details about the Curiosity rover.
The breach, which affected NASA’s Jet Propulsion Laboratory (JPL), went undetected for 10 months, reads a report by the NASA Office of the Inspector General (OIG).
“In April 2018 JPL discovered an account belonging to an external user had been compromised and used to steal approximately 500 megabytes of data from one of its major mission systems,” reads the report, attributing the intrusion to an Advanced Persistent Threat (APT) group.
But just as notable is how the breach occurred. It turns out that the hackers exploited a Raspberry Pi, which was attached to the JPL network without authorization, as a launch pad for getting inside and moving laterally across the network.
There’s no word on who was behind the intrusion or, indeed, who connected the diminutive, single-board computer, which can retail for as little as US$25, to the network [As it happens, today saw the unveiling of the device’s fourth incarnation].
What is abundantly clear, however, is that OIG wasn’t impressed with the space agency’s cybersecurity posture.
Dropping the ball
“Over the past 10 years, JPL has experienced several notable cybersecurity incidents that have compromised major segments of its IT network,” reads the scathing report.
And it doesn’t stop at that, going on to list a bit of a litany of shortcomings in NASA’s network security controlsthat put its systems and data at risk. “Multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cybercriminals,” according to the report.
This was also laid bare in the Raspberry Pi incident, which was partly enabled by “reduced visibility into devices connected to its [NASA’s] networks”. This effectively means that new devices added to the network weren’t always subject to a vetting process by a security official and the agency didn’t know the gadget was present on the network.
In addition, the audit noted a lack of network segmentation, which the hackers ultimately exploited to move laterally between various systems connected to a network gateway. The gateway gives external users and its partners, including foreign space agencies, contractors, and educational institutions, remote access to a shared environment.
Moreover, the audit found that security log tickets, which include applying a software patch or updating a system’s configuration, sometimes sat unresolved for more than six months. That’s despite the fact that system administrators had a maximum of 30 days to take corrective action.
Such laggard progress helped oil the wheels of the Raspberry Pi intrusion, as “one of the four compromised systems had not been patched for the vulnerability in a timely manner”.
Also affected were systems involved in NASA’s Deep Space Network (DSN). This ultimately prompted security teams from the Johnson Space Center, which manages the International Space Station, to disconnect from the gateway due to fears that “cyberattackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems”.
The report also noted that JPL had not implemented a threat hunting program to “aggressively pursue abnormal activity on its systems for signs of compromise”, relying instead on “an ad hoc process to search for intruders”.
The report outlined 10 recommendations, with NASA agreeing too all but one – to put in place a formal threat hunting process.
written by Tomas Foltyn, ESET We Live Security