Hackers Stole Sensitive Data From JPL's IT Network Using $25 Computer

Published : Monday, June 24, 2019 | 5:45 AM

Hackers using an unauthorized Raspberry Pi computer connected to the IT network at Jet Propulsion Laboratory were able to steal about 500 megabytes of NASA data related to Mars missions in April 2018, a report by the NASA Office of Inspector General last week said.

The intrusion, only one of several notable external attacks on the JPL network that were revealed during the recent audit, remained undetected for almost a year, according to the report.

“In this case the attacker, using an external user account, exploited weaknesses in JPL’s system of security controls to move undetected within the JPL network for approximately 10 months,” the NASA OIG audit report released on June 18 said. “Prior to detection and containment of the incident, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission.”

The audit also revealed “multiple IT security control weaknesses” at JPL that reduced its ability to prevent, detect, and mitigate attacks targeting its systems and networks, and exposed NASA systems and data to exploitation by cybercriminals. These weaknesses became more and more apparent during an examination of several other incidents recorded over the past 10 years within JPL’s IT network.

The other cybersecurity breaches noted in the report include a January 2009 attack when a cyberattacker successfully penetrated a JPL computer system and stole about 22 gigabytes of program data and illegally transferred the information to an IP address in China; the stolen data included information protected under International Traffic in Arms Regulations and Export Administration Regulations.

In 2011, JPL discovered another attack involving Chinese-based IP addresses in which cyber intruders gained full access to 18 servers supporting key JPL missions, including the DSN and Advanced Spaceborne Thermal Emission and Reflection Radiometer mission, and sensitive user accounts. The intruders were able to copy, modify, or delete sensitive files; add, modify, or delete user accounts for mission-critical JPL systems; upload hacking tools to steal user credentials and compromise other NASA systems; and modify system logs to conceal their actions, the audit report said.

In this incident, the intruders “resided” within the system for two weeks before being detected; analysis of the intrusion detection logs revealed 87 gigabytes of data had been uploaded to the attackers’ IP addresses.

In 2014, JPL discovered a cyber intruder was able to upload malware to a server supporting JPL astronomical missions and research after a web-based program installed by the system’s administrator allowed the public to upload and execute files on the server. Investigation of the compromise revealed the administrator failed to update the software in a timely manner, providing the attacker an opportunity for unauthorized access via a JPL computer.

In 2016, a website misconfiguration resulted in an anonymous user gaining elevated privileges that enabled an individual to execute codes on a server used for software architecture development. The use of Secure Sockets Layer, which ensures that all data transmitted between the web server and browser remains encrypted, prevented JPL’s network security monitoring tools from identifying the actions taken by the bad actor prior to detection.

In March 2017, a JPL server that runs source code used in ground operations for scientific spacecraft was compromised by foreign hackers who exploited a flaw in the software, hardware, or firmware that was previously unknown to JPL. As a result, the intruders remotely executed a code on the server without authentication. After gaining access to the server, the hackers were able to upload, manipulate, and execute various files and commands unrelated to controlling spacecraft.

In all of these instances, the report said JPL responded by implementing improvements to its network user policies, which the OIG indicated were temporary in nature and needed more dependable and stronger upgrades.

“We also found that while cybersecurity monitoring tools employed by JPL defend against routine intrusions and misuse of computer assets, JPL had not implemented a threat hunting program recommended by IT security experts to aggressively pursue abnormal activity on its systems for signs of compromise, and instead rely on an ad hoc process to search for intruders,” the report said. “In addition, JPL had not provided role-based security training or funded IT security certifications for its system administrators.”

The audit report included a long list of recommendations addressed to the director of the NASA Management Office to improve JPL network security controls.

The recommendations are expected to be forwarded to the Chief Information Officer (CIO) at JPL, who has direct management responsibility over the Lab’s Information Technology Directorate, whose end users are in engineering, interplanetary network and finance and business operations. The CIO, who is supported by a dedicated IT staff, is also responsible for establishing the IT architecture, planning and strategy for JPL.

The recommendations included a periodic review and update of JPL’s Information Technology Security Database (ITSDB), a review and update of JPL’s Interconnection Security Agreements (ISA) with all partners – including private, foreign organizations – connected to the gateway, implementation of a planned role-based training program for all JPL program administrators by July 2019, and establishing a formal, documented threat-hunting process.

“We also recommended the NASA CIO (Chief Information Officer) include requirements in the pending IT Transition Plan that provide the NASA SOC (Security Operations Center) with sufficient control and visibility into JPL network security practices,” the audit report said.

Despite the significant concerns about the weaknesses in JPL’s cybersecurity processes, NASA signed a new contract with the California Institute of Technology (Caltech) in October 2018 to manage JPL for at least the next five years, leaving important IT security requirements unresolved, the audit noted. Both sides simply agreed to continue negotiating these issues, the report said.

It also mentioned that as of March 2019, NASA has not approved a set of plans that JPL submitted to implement the new IT security policies and requirements included in the October 2018 contract.

In addition to its nine geographically dispersed Centers,

NASA’s contract with Caltech stipulates that the private nonprofit research university operate JPL as a federally funded research and development center. JPL manages or supports multiple deep space missions for NASA such as the Mars Science Laboratory and Juno.

Since 1959, Caltech has been managing JPL’s research and development activities, including security controls over its data and systems. However, NASA retains responsibility for ensuring its data and systems at JPL and the other Centers are secure from hackers or other forms of unauthorized access.

blog comments powered by Disqus