The European Space Agency (ESA) is reeling from another significant data breach, with attackers claiming to have exfiltrated 500GB of highly sensitive technical data.
The attackers say the exploited vulnerability remains unpatched, raising concerns about the integrity of ESA's infrastructure.
The threat actor group known as Scattered Lapsus$ Hunters tipped CyberInsider about the breach, claiming to have gained initial access to ESA systems in September 2025 by exploiting a public vulnerability. From there, the attackers say they moved laterally within ESA’s network and eventually discovered a compromised internal data-sharing platform, used by various ESA-affiliated space stations and mission partners to exchange proprietary data.
Stolen files the threat actors shared with CyberInsider include spacecraft operational procedures, full subsystem documentation, engineering specifications, environmental testing reports, and sensitive security protocols. Among the most critical documents are System Requirements Specifications (SRS), verification and integration procedures, and the full technical roadmaps for multiple ongoing and future ESA missions.
The breach also compromises data from a wide range of ESA contractors, including proprietary specifications from major aerospace players such as SpaceX, Airbus Group, Thales Alenia Space, OHB System AG, and Teledyne. The attackers claim to have obtained SpaceX’s restricted rideshare documentation, as well as signed environmental and non-conformance reports from several ESA partners.
Compromised program documentation reportedly covers a wide swath of ESA’s activities, including the Earth Observation (EO) satellite constellation, Greece’s national space program, the Next Generation Gravity Mission (NGGM), and key Earth Explorer missions like FORUM (Far-infrared Outgoing Radiation Understanding and Monitoring) and TRUTHS (Traceable Radiometry Underpinning Terrestrial- and Helio-Studies).
ESA, a leading intergovernmental space agency comprised of 23 member states, coordinates Europe's space exploration and research efforts. The organization plays a central role in satellite launches, Earth science missions, and international cooperation in space technology. The leaked materials, if authentic, could have significant implications for ESA’s security posture and the confidentiality of international space partnerships.
In an official statement to CyberInsider, ESA confirmed that a criminal inquiry has been initiated and that the matter has been referred to relevant judicial authorities. The agency did not comment on the specific claims made by the attackers or whether the breach is still ongoing. ESA emphasized that any communication regarding the incident must be handled cautiously to avoid interfering with the ongoing investigation.
To this, ShinyHunters responded with the following comment:
ESA is deliberately not acknowledging the breach because it concerns national security and very likely because they have no idea how we were able to get a hold of that much data at this time.
It not only concerns national security but at the same time is also a supply chain attack on the entire aerospace industry considering the hundreds of impacted contractors around the world. If they didn't know, now they know.
This latest breach follows closely on the heels of a previous disclosure on December 30, 2025, when the European Space Agency confirmed a separate cybersecurity incident involving the leak of 200GB of internal development data. That breach, which targeted external collaboration servers, included source code, CI/CD pipeline configurations, access tokens, and infrastructure-as-code files. The attacker in that case, operating under the alias “888,” claimed week-long access to ESA’s systems in December, offering the data for sale on BreachForums in exchange for Monero.
Leave a Reply