Thought leadership. threat analysis, news and alerts.
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Steve E. Driz, I.S.P., ITCP