NASA Office of Inspector General revealed that the Agency’s network was hacked in April 2018, intruders exfiltrated roughly 500 MB of data related to Mars missions.

According to a report published by the NASA Office of Inspector General, hackers breached the Agency’s network in April 2018 and remained undetected for nearly a year. The report says that hackers stole roughly 500 MB of data related to Mars missions from NASA’s Jet Propulsion Laboratory in Southern California.

The attackers exploited a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or implementing proper security measures.

“The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network.” reads the report. “The device should not have been permitted on the JPL network without the JPL OCIO’s review and approval.”

The report states that IT staff failed to implement segmentation of Network Environment Shared with External Partners through a JPL network gateway. The gateway was used to allow external users and its partners, including foreign space agencies, contractors, and educational institutions, to remotely access to a shared environment for specific missions and data.

“In this case the attacker, using an external user account, exploited weaknesses in JPL’s system of security controls to move undetected within the JPL network for approximately 10 months.” the NASA OIG said.

“Prior to detection and containment of the incident, the attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission.”

The NASA’s JPL division operates planetary robotic spacecraft, including the popular the Curiosity rover, it also manages various satellites that orbit planets in the solar system.

The hack has also affected the NASA’s Deep Space Network (DSN) managed by the JPL, it is a worldwide network of satellite dishes that allows to send and receive information from NASA spacecrafts in active missions.

After the discovery of the intrusion, other NASA divisions disconnected from the JPL and DSN networks to avoid further lateral movements of the attackers.

According to the investigators, the attack was carried out by an APT group. While an investigation is still ongoing, the Agency announced to have installed additional monitoring agents on its firewalls.

“Classified as an advanced persistent threat, the attack went undetected for nearly a year. The investigation into this incident is ongoing. In response to the attack, JPL” continues the report. “The investigation into this incident is ongoing.”

As reported in the document, the entry point was an unmanaged Raspberry device, for this reason, the NASA OIG also blamed the JPL for failing to maintain up to date the Information Technology Security Database (ITSDB).

The Technology Security Database (ITSDB) is a web-based application used to track and manage physical assets and applications on its network.

The archive was incomplete and inaccurate, the Raspberry Pi used to penetrate the NASA network had not been listed in the ITSDB.

Investigators also found problems in patch management procedures.

“We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time-sometimes longer than 180 days,” the report added.

Unfortunately, this was not the first time hackers broke into JPL, it has already happened back in 2009, 2011, 2014, 2016 and 2017.

In December the U.S. National Aeronautics and Space Administration (NASA) notifies employees of a data breach that exposed social security numbers and other personal information.

According to the data breach notification, hackers have breached at least one of the agency’s servers, the security breach impacted both past and present employees.

Pierluigi Paganini