European Space Agency hit again as cybercriminals claim 200 GB data up for sale

Summary

The European Space Agency has suffered yet another security incident and, in keeping with past practice, says the impact is limited. Meanwhile, miscreants boast that they've made off with a trove of data, including what they claim are confidential documents, credentials, and source code. While the ESA said it's aware of a security incident, it added in an X post on Tuesday that the breach may have impacted only "a very small number of external servers" used to support unclassified engineering and scientific collaboration. "We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices," the ESA added. "All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available." That's in contrast to what one cybercriminal posted in their offer of over 200 GB of ESA data for sale on the still-not-dead BreachForums the day after Christmas, according to screenshots grabbed from the seemingly impossible-to-kill cybercrime forum. According to the alleged attacker, they gained access to ESA-linked external servers on December 18, and were connected "for about a week," during which they claim to have stolen source code files, CI/CD pipelines, API and access tokens, confidential documents, configuration files, Terraform files, SQL files, hardcoded credentials, and a dump of "all their private Bitbucket repositories as well." We reached out to the ESA to get more information about the status of its investigation, and more specifics on what sort of servers were breached, but didn't hear back, with an automated response informing us that the Agency's offices are closed for the New Year holiday. As noted above, this isn't the first time the ESA has experienced a security incident, nor the first time it has said the affected systems were external to its core networks. The Space Agency's online store was hit by attackers last year shortly before the...