A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency’s network and stole approximately 500 MB of data related to Mars missions.
The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.
Hackers stole Mars missions data
According to a 49-page OIG report, the hackers used this point of entry to move deeper inside the JPL network by hacking a shared network gateway.
The hackers used this network gateway to pivot inside JPL’s infrastructure and gained access to the network that was storing information about NASA JPL-managed Mars missions, from where he exfiltrated information.
The OIG report said the hackers used “a compromised external user system” to access the JPL missions network.
“The attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission,” the NASA OIG said.
The Mars Science Laboratory is the JPL program that manages the Curiosity rover on Mars, among other projects.
Hackers also breached NASA’s satellite dish network
NASA’s JPL division primary role is to build and operate planetary robotic spacecraft such as the Curiosity rover, or the various satellites that orbit planets in the solar system.
In addition, the JPL also manages NASA’s Deep Space Network (DSN), a worldwide network of satellite dishes that are used to send and receive information from NASA spacecraft in active missions.
Investigators said that besides accessing the JPL’s mission network, the April 2018 intruder also accessed the JPL’s DSN IT network. Upon the discovery of the intrusion, several other NASA facilities disconnected from the JPL and DSN networks, fearing the attacker might pivot to their systems as well.
Hackers described as an APT
“Classified as an advanced persistent threat, the attack went undetected for nearly a year,” the NASA OIG said. “The investigation into this incident is ongoing.”
The report blamed the JPL’s failure to segment its internal network into smaller segments, a basic security practice that makes it harder for hackers to move inside compromised networks with relative ease.
The NASA OIG also blamed the JPL for failing to keep the Information Technology Security Database (ITSDB) up to date. The ITSDB is a database for the JPL IT staff, where system administrators are supposed to log every device connected to the JPL network.
The OIG found that the database inventory was incomplete and inaccurate. For example, the compromised Raspberry Pi board that served as a point of entry had not been entered in the ITSDB inventory.
In addition, investigators also found that the JPL IT staff was lagging behind when it came to fixing any security-related issues.
“We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time-sometimes longer than 180 days,” the report said.
Was APT10 behind the hack?
In December 2018, the US Department of Justice charged two Chinese nationals for hacking cloud providers, NASA, and the US Navy. The DOJ said the two hackers were part of one of the Chinese government’s elite hacking units known as APT10.
The two were charged for hacking the NASA Goddard Space Center and the Jet Propulsion Laboratory. It is unclear if these are the “advanced persistent threat” which hacked the JPL in April 2018 because the DOJ indictment did not provide a date for APT10’s JPL intrusion.
Also in December 2018, NASA announced another breach. This was a separate incident from the April 2018 hack. This second breach was discovered in October 2018, and the intruder(s) stole only NASA employee-related information.