'Unknowns' hack European Space Agency

The European Space Agency has said that a group of hackers called 'The Unknowns' successfully hacked into external servers and got access to user identity information.

The Unknowns used SQL injection to attack databases through the European Space Agency (ESA) website, ESA security office manager Stefano Zatti told ZDNet UK on Thursday.

"The group used SQL injection... The use of SQL injection is an admitted vulnerability," said Zatti. "This needs to be addressed at a coding level."

All space observation data is deliberately hosted on external servers and made publically available, said Zatti. Users must register to see the information, and enter a user ID and a password. User IDs are held in plaintext, but passwords are encrypted, with the hashes, keys and algorithms held on internal servers.

The Unknown hacking group compromised user IDs, but not the encrypted passwords, said Zatti.

A hacker called 'Zyklon B', part of the Unknowns, claimed to have hacked a number of organisations, including the European Space Agency, in a document posted on Pastebin on Tuesday.

The hackers claimed to have compromised the website of the Interagency Advanced Power Group, a group of US government employees linked to NASA's Glenn Research Center. NASA declined to comment on Thursday.

The Unknowns also claimed to have compromised details from the US Air Force auxiliary Civil Air Patrol, the history service of the French defence ministry, the Joint Pathology Centre of the US military, the Jordanian Yellow Pages, Bahrain Ministry of Defence, the Thai Royal Navy, and a subset of Renault.

The US Air Force had not responded to a request for comment at the time of writing.