NASA Data Breach Demonstrates Need for Proper Network Governance

A cyber-attack on NASA's Jet Propulsion Laboratory was so severe that it prompted parts of the Agency to disconnect from the Lab's networks, a report revealed this month, and it all began because of a rogue Raspberry Pi.

The Jet Propulsion Laboratory (JPL) is a NASA research facility that conducts robotic space missions. It's the organization that builds probes and sends them to Mars.

Discovered in 2018, the attackers had been lurking in JPL's infrastructure for ten months. According to the report from NASA's Inspector General, they broke into its network through the Raspberry Pi, which is a tiny computer marketed to consumers and enthusiasts for simple Linux projects.

Using an external user account, the attackers gained access to two of three primary networks and stole 23 files containing 500Mb of data. Two of these files included International Traffic in Arms Regulations information related to the Mars Science Laboratory mission.

An incomplete inventory of the devices connected to the JPL network allowed the Pi onto the network unnoticed. Although the Lab maintains a database for hardware and applications, it wasn't regularly updated. "The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network," the report said.

Poor network segmentation in the Lab's network gateway then enabled the attacker to get to its mission network. Their ability to move laterally through JPL's infrastructure could have enabled them to gain access to live mission communications and send malicious signals to human space flight missions, said the report. For this reason, staff at the Johnson Space Center (which handles the International Space Station mission) cut communications with the gateway for over six months. As late as March this year, the Center still hadn't re-established full communication between the two networks.

Network admins failed to deal with log tickets highlighting potential security vulnerabilities, sometimes for longer than 180 days. The software vulnerability that the attackers exploited was first identified in 2017 with a vulnerability score of ten. JPL didn't fully eliminate the vulnerability until this March.

Inadequate incident response procedures made it difficult to ensure that the JPL had properly contained the attack, according to the report. NASA asked the Department of Homeland Security (DHS) to scan the Lab's network and ensure that the attack had been properly cleared up, but JPL's unfamiliarity with DHS procedures and concerns over access to its corporate network introduced a four-month delay.

The report shows that a string of security shortcoming combined allowed the attackers to steal the files they needed. It also demonstrates clearly how a single rogue device can provide the perfect gateway for an attack. Admins should use it as a prompt to check their process for documenting new hardware on their networks, and to audit their infrastructure for unauthorized devices.

What’s Hot on Infosecurity Magazine?