Cyber Incident Victim: European Space Agency

On December 18 2025 a threat actor using the alias “888” posted on BreachForums claiming to have compromised the European Space Agency and stolen over 200 gigabytes of data, including source code, CI/CD pipelines, API and access tokens, confidential documents, configuration, Terraform and SQL files, and hardcoded credentials, and also said they had dumped all private Bitbucket repositories. The attacker said they had been connecting to ESA services for about a week. ESA initially described the impact as limited to external servers containing unclassified engineering data. Shortly thereafter, in early January 2026, a group calling itself “Scattered Lapsus$ Hunters” claimed responsibility for a second attack, asserting they had exploited an unpatched vulnerability to exfiltrate an additional 500 gigabytes of data that included operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from partners such as SpaceX, Airbus Group, and Thales Alenia Space. ESA confirmed that a criminal investigation was underway after these disclosures. Prior to these events, ESA’s online merchandise store had been compromised with payment‑card‑skimming code just days before Christmas 2024, and in 2015 an Anonymous‑linked breach had exposed employee and subscriber passwords. Researchers have also observed that email credentials of ESA staff, as well as NASA employees, frequently appear for sale on dark web forums.

ESA issued a statement saying it was aware of a recent issue involving servers outside its corporate network and had begun a forensic analysis to learn more. The agency’s analysis indicated that only a very small number of external servers may have been impacted, and that these servers support unclassified collaborative engineering activities within the scientific community. ESA said it had informed all relevant stakeholders and would provide further updates as additional information became available, and that it had implemented measures to secure any potentially affected devices. On January 8 2026 ESA held an online press briefing in which director Eric Morel de Westgaver stated that the agency was fully cooperating with the authorities and that those authorities would manage communication regarding the case. Cybersecurity researcher Clémence Poirier told Space.com that she frequently encounters email credentials of ESA and NASA employees being sold online, attributing the phenomenon to a lack of cyber hygiene and to infostealer malware that can harvest browser‑stored data such as credentials, session cookies, multi‑factor authentication information and saved credit cards. Poirier noted that infostealers often evade anti‑virus detection and spread through malicious ads on popular websites or infected links in YouTube video descriptions. Another source familiar with the space cyber risk environment said that space agencies are common targets of cyber attacks, with NASA being a frequent victim of vulnerabilities disclosed almost daily via the BugCrowd platform.

The stolen material has been described as comprising proprietary software, security credentials, mission documentation, configuration files, and other sensitive information related to major aerospace companies including Airbus, SpaceX, and Thales Alenia Space. While officials and experts have said that the leaked data does not pose an immediate threat, they have warned that aggregation of information from multiple breaches could eventually reveal strategic details that might enable future cyberattacks against space systems. The incidents underscore the growing cyber threats facing the space sector, with both NASA and ESA experiencing repeated attacks. A report from the EU agency ENISA released the previous year found that the space technology sector was one of six sectors struggling to comply with the NIS2 directive, chiefly because of limited cybersecurity knowledge and a heavy reliance on commercial off‑the‑shelf components. In a separate March 2025 ENISA report, the agency warned of potentially cascading effects stemming from attacks on satellites, including financial losses for businesses that rely on satellite services, disruption to essential services that could cause societal harm and loss of life, and compromise of sensitive information transmitted via satellites that could create legal and regulatory risks for affected businesses. Damon Small of Xcape observed that the breach demonstrates how seemingly low‑value data can become critical when it reveals the framework of a nation’s space endeavors, and that this, combined with intensifying geopolitical and commercial competition in space, makes such environments attractive targets for threat actors.