NASA Internal Portal Admin Access Offered for Sale on Dark Web

A threat actor is currently advertising administrative access to NASA’s internal web portals on underground cybercrime forums, according to a March 2025 social media post from cybersecurity watchdog MonThreat.

The listing claims to provide web shell access, VPN credentials, and session hijacking capabilities tied to NASA’s Technology Transfer Portal and other critical systems.

If validated, this breach could expose sensitive aerospace research, employee PII, and export-controlled technologies.

Technical Scope of the Alleged Compromise

According to post from MonThreat,The seller alleges possession of root-level access to multiple subdomains under nasa.gov, including portals handling intellectual property licensing and contractor disclosures.

Advertised capabilities include API control for modifying user privileges, RDP/SSH tunneling into backend servers, and persistent web shells disguised as legitimate monitoring tools.

Crucially, the actor claims access spans both the public-facing Technology Transfer Portal (T2 Portal) and restricted internal systems like the New Technology Reporting System (NTRS).

Session hijacking tools mentioned in the listing could enable attackers to bypass NASA’s AUID two-factor authentication by replicating active employee logins.

This aligns with historical vulnerabilities in NASA’s Jira implementation, where misconfigured permissions in 2019 exposed project data and employee emails for 23 days before remediation.

The current offering also references VPN credentials tied to NASA’s Software Defined Networking architecture, potentially allowing lateral movement into segmented research networks.

Implications for Sensitive Aerospace Assets

A successful intrusion could jeopardize NASA’s 8,000+ active patents and pending Space Act Agreements.

Threat actors might alter licensing terms for emerging technologies like advanced propulsion systems or modify export control flags on ITAR-restricted components.

The 2018 breach of NASA employee SSNs and the 2019 Jira leak demonstrated risks of identity-based attacks, but this incident escalated threats to operational security.

Of particular concern is the web shell’s described ability to manipulate the Disposition of Property System (DSPL), which governs sales of surplus aerospace hardware.

Unauthorized DSPL access could enable fraudulent transfers of export-controlled equipment or deletion of digital media sanitization records required by NPR 2810.1.

Researchers note similarities to the 2021 GSA Auctions breach, where threat actors exploited API flaws to hijack bidding on NASA Glenn Research Center assets.

NASA’s Response and Mitigation Efforts

While NASA has not formally confirmed the breach’s validity, internal memos reference collaboration with US-CERT and third-party cybersecurity firms to audit authentication logs.

The agency is likely applying lessons from its 2019 Engineering and Safety Center reforms, which centralized vulnerability assessments under the NESC framework.

Preliminary measures may include:

• Rotating all Active Directory credentials tied to the T2 Portal’s LDAP integration
• Reissuing certificates for NASA’s Guest Account Federation used by 14,000+ external partners
• Suspending “Apply to License” functions until Jira workflows undergo CVE-2025-XXXX patching

Cybersecurity analysts emphasize the need for runtime application self-protection (RASP) on NASA’s .NET-based licensing platforms and stricter enforcement of NPR 2810.11 media sanitization protocols.

As of March 2025, NASA’s public technology portals remain operational, though contractors report increased MFA challenges during NF1679 submissions.

The incident underscores persistent risks in federal IT modernization efforts, particularly for agencies managing dual-use aerospace technologies with both commercial and defense applications.

Also Read:

Alleged Data Breach Hits SICANTIK: Sensitive Information at Risk

See more