The European Space Agency disclosed multiple cyber intrusions that resulted in roughly 700 GB of files appearing on dark web forums, including proprietary code, access tokens and project documentation. ESA says it is cooperating with authorities and has opened a criminal investigation. Security researchers warn credentials from ESA and other space agencies commonly appear for sale online and that infostealer malware and vendor or unpatched-system weaknesses likely play a role. While the leaked material does not yet appear to pose an immediate operational threat, it could be combined with future breaches to reveal more sensitive information.
ESA Hit by Major Data Leaks — Hundreds of GB of Files and Credentials Posted on Dark Web
The European Space Agency recently suffered a large cyberattack. . | Credit: ESA
The European Space Agency (ESA) is responding to a series of cyber intrusions that exposed hundreds of gigabytes of potentially sensitive material on dark web forums. The leaks included proprietary software, authorization credentials, access tokens and project documentation, and have prompted a criminal investigation.
Timeline of the Breaches
On Boxing Day (Dec. 26), a hacker using the handle 888 published more than 200 GB of ESA data on a dark web forum. About a week later, the technology news site The Register reported that a cybercrime group calling itself Scattered Lapsus$ Hunters claimed a further 500 GB of data, alleging the underlying vulnerability remained unpatched. That second cache was reported to include operational procedures, spacecraft and mission details, subsystem documentation and proprietary contractor material linked to partners such as SpaceX, Airbus Group and Thales Alenia Space.
ESA Response
ESA has said it is investigating the incidents and is cooperating with law enforcement. In an online briefing on Jan. 8, Eric Morel de Westgaver, ESA's director of European, legal and international matters, said the agency is working with authorities that will manage communications as criminal proceedings develop.
“ESA is fully cooperating with the authorities,” Eric Morel de Westgaver said. “These authorities will manage the communication regarding the case, as those authorities will be in charge of the criminal proceedings.”
What Researchers Say
Clémence Poirier, a space-cybersecurity researcher at the Center for Security Studies (ETH Zurich), told Space.com that attacks on space agencies are increasingly common and often reveal staff credentials for sale on dark web marketplaces. She said threat actors frequently use infostealer malware to harvest data from browsers, including saved credentials, session cookies, multi-factor authentication artifacts and stored payment details.
Infostealers are a stealthy class of malware that can evade many traditional antivirus tools. According to SpyCloud, such infections commonly spread through malicious ads on popular websites or compromised links, for example in YouTube video descriptions.
An additional anonymous source familiar with space-sector cyber risk noted that NASA and other space organizations are frequent targets, with vulnerabilities often disclosed via crowdsourced security platforms such as BugCrowd.
Risk And Implications
Although experts say the currently published files do not appear to contain immediately catastrophic technical details, Poirier warned the material could be combined with data from future breaches to reveal strategic information or enable targeted follow-on attacks against space systems. She also cautioned that weaknesses might exist among ESA's third-party vendors or within unpatched agency systems.
As cyberattacks against the space sector rise, agencies and contractors will need stronger cyber hygiene, improved vendor security oversight and rapid patching to limit future exposure.
Note: Reporting on the quantities and contents of the leaks is based on public disclosures and reporting by The Register and statements by security researchers; investigations by ESA and law enforcement are ongoing.
Help us improve.
