NASA’s Jet Propulsion Laboratory was compromised for a full year after an unauthorized Raspberry Pi was connected to its unsegmented network — resulting in 500 MB of ITAR-regulated data stolen, including access to NASA’s deep space satellite network; a new LooCipher ransomware spread via spam; and Steam gamers were targeted by a phishing chain that redirected through multiple URLs to a fake game site harvesting Steam credentials.
Stories Covered
NASA JPL Hacked for a Year via Rogue Raspberry Pi: 500 MB of ITAR Data Stolen, APT10 Suspected
The NASA Office of Inspector General released a report documenting a cyberattack against NASA’s Jet Propulsion Laboratory that lasted approximately one year, beginning in 2018. The initial entry point was an unauthorized Raspberry Pi — a small single-board computer — that had been connected to JPL’s internal network without authorization. Once on the network, the attackers were able to move laterally throughout JPL’s systems without significant resistance because JPL’s internal network was not properly segmented. Network segmentation — dividing a network into smaller subnetworks using switches, routers, or firewall rules so that devices in one segment cannot freely communicate with devices in another — is a fundamental security control precisely because it limits the blast radius of an initial compromise. Without it, a single compromised device provides pathways to everything else on the network. The attackers ultimately exfiltrated approximately 500 MB of data, some of which was subject to ITAR — the International Traffic in Arms Regulations — which governs the export of defense and military technology. The stolen data was associated with the Mars Science Laboratory, which operates the Curiosity Rover. Investigators also found that the attackers had accessed JPL’s Deep Space Network, which communicates with spacecraft and satellites. Attribution pointed to APT10, a Chinese state-sponsored hacking group, consistent with a Department of Justice indictment of two Chinese nationals charged in 2018 for hacking cloud providers, the U.S. Navy, and NASA.
WeTransfer Security Incident: Files Delivered to Wrong Recipients for Two Days
WeTransfer, a file-sharing service used to send large files, disclosed a security incident that occurred June 16–17, 2019. During that window, files transferred to intended recipients were also delivered to unintended third parties. WeTransfer notified affected users via email but did not disclose the technical cause of the misdistribution. The company responded by disabling transfer links associated with affected accounts, logging out impacted accounts, and resetting passwords — a response more consistent with a security breach than a simple routing bug. A pure code bug causing mis-delivery would typically be addressed by fixing the code and invalidating the links; the additional step of logging out accounts and forcing password resets suggests WeTransfer may have had reason to believe account credentials were exposed beyond the mis-delivery itself. The company did not publicly confirm or deny whether the incident involved a broader breach.
LooCipher Ransomware: Macro-Based Word Document Delivers Bitcoin-Demanding Countdown Timer
A new ransomware family called LooCipher (also spelled LoCipher) began spreading through spam campaigns using a malicious Word document named info_bsv_2019.doc. When a victim opens the document, Word prompts the user to enable macros. If macros are enabled, the macro connects to a Tor server and downloads a malicious executable that is renamed loocipher.exe and automatically executed. The ransomware then follows a standard encryption pattern: it creates a configuration file on the Windows desktop containing a unique victim ID, payment deadline, and Bitcoin wallet address; encrypts files, appending the .lcphr extension; creates a ransom note as a text file explaining payment instructions; changes the desktop wallpaper to display the ransom message; and opens a countdown timer window showing the payment deadline with a verification button. The infection vector is the same one used by most macro-based malware: the user must open an unsolicited document and explicitly choose to enable macros. Defenses are consistent: do not enable macros in documents received via email, maintain offline backups so recovery does not require paying the ransom, and treat any spam-delivered document attachment as potentially malicious regardless of how plausible the sender appears.
Steam Phishing Campaign: Compromised Accounts Send Fake Free Game Links to Harvest Credentials
Malwarebytes Labs documented a phishing campaign targeting Steam gamers. Compromised Steam accounts were used to send messages to the victim’s friends list claiming to offer a free game as a gift — a social engineering vector that works because the message appears to come from a known contact. The phishing chain routed victims through a Twitter short link (t.co), which redirected to steamredirect.fun, which then redirected to the actual phishing page. The phishing site presented itself as a gaming prize site where users could “win” games by pressing a play button. After appearing to win, the site displayed a countdown timer of 30 minutes and prompted users to log into their Steam account to claim the prize. The fake Steam login page displayed a third-party OAuth-style request under the name “Gift for Keys” — but while legitimate Steam third-party logins route through steamcommunity.com, the phishing page’s login URL was blank rather than the legitimate Steam domain, a clear sign of credential harvesting. Any credentials entered on that page went directly to the attacker. For Steam users: verify the URL of any login page before entering credentials, be skeptical of any “free game” link even from accounts you know (since accounts can be compromised), and do not click shortened URLs in gaming messages without checking the destination first.
Leave a Reply