Cyber Incident Victim: NOIRLab
Date:
Aug 2023
Location:
United States of America
Summary
A cybersecurity incident at NSF’s NOIRLab disrupted astronomical operations, forcing the suspension of observations at Gemini North and South telescopes and impacting smaller telescopes in Chile. The organization isolated affected systems by shutting them down, disabling remote access and temporarily taking the Gemini website and proposal tools offline. Some telescopes resumed limited data collection via on-site staff workarounds, while recovery efforts prioritized restoring functionality and investigating the incident with external cybersecurity experts. The disruption also delayed proposal submissions and affected tenant facilities, though certain observatories remained operational. Normal operations gradually resumed over subsequent weeks, with full remote access restoration ongoing. No damage to physical infrastructure occurred due to prompt containment actions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the morning of August 1, 2023, NSF’s NOIRLab detected a cybersecurity incident in its computer systems, prompting immediate protective measures. The organization’s security team swiftly isolated the Gemini Observatory systems by shutting down both the Gemini North telescope in Hawai‘i and the Gemini South telescope in Chile, which was already in a planned engineering shutdown. This action suspended all astronomical observations at these facilities and took the Gemini.edu website and proposal tools offline, though NOIRLab’s main website remained operational. No damage to observatory equipment occurred due to these rapid containment efforts. As a precaution, NOIRLab later disconnected the Mid-Scale Observatories (MSO) network on Cerro Tololo in Chile and at the SOAR Telescope on August 9, halting remote observations at the Víctor M. Blanco 4-meter Telescope and SOAR. Tenant facilities operating remotely on Cerro Tololo and Cerro Pachón were also affected, requiring on-site staff to implement manual safety protocols. Service-mode observations by local personnel served as a temporary workaround for impacted telescopes, with affected astronomers notified individually.
By August 24, NOIRLab confirmed the incident had forced the continued suspension of Gemini North, Gemini South, and several smaller telescopes at Cerro Tololo, while Kitt Peak telescopes in Arizona remained unaffected. Recovery efforts involved collaboration between NOIRLab’s IT team, telescope operations staff, and external cybersecurity specialists, with gradual progress noted in restoring systems. The Gemini.edu website remained offline during this phase, disrupting administrative functions including proposal submissions. NOIRLab anticipated a potential one-week delay for the Gemini Call for Proposals, originally scheduled to open August 31 for the February 2024 observing semester. By September 5, the Gemini.edu site was restored alongside updates on proposal timelines, and by September 29, both Gemini telescopes resumed scientific observations, though full remote access for external astronomers remained pending. The incident caused operational disruptions across multiple observatories, necessitating manual workarounds to maintain limited data collection while underscoring NOIRLab’s reliance on physical interventions during cybersecurity recovery.