An infamous hacker known as 888 claimed the cyber attack on a notorious hacking forum, claiming to have stolen over 200 gigabytes of data.
“I’ve been connecting to some of their services for about a week now and have stolen over 200 GB of data. Including dumping all their privagte Bitbucket repositories as well,” the hacker said, adding that data included API tokens, source code, access tokens, config files, terraform files, sql files, confidential documents, hard coded credentials, CI/CD pipelines “and more”.
In response to the incident, ESA issued a statement saying it had begun an investigation into the incident and that the servers accessed were external.
“ESA is aware of a recent cyber security issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis – currently in progress – and implemented measures to secure any potentially affected devices,” the agency said on X.
“Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community. All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available.”
Additionally, speaking with BleepingComputer, a spokesperson for ESA said it “maintains a robust framework and governance structure to address such incidents effectively”, in response to the publication asking for confirmation of 888’s allegations.
In 2024, ESA also suffered a cyber attack on its official web shop, with JavaScript malware deployed by hackers to steal customer information and payment card data.
Similarly, in March 2025, the Polish Space Agency (POLSA) announced on X that it suffered a cyber attack.
“There has been a cyber security incident at POLSA. The relevant services and institutions have been informed,” said POLSA in the post, which has been translated into English.
“The situation is being analysed. In order to secure data after the hack, the POLSA network was immediately disconnected from the internet. We will keep you updated.”
POLSA did not disclose the nature of the incident, nor did it identify a threat actor or set a deadline for systems to be restored.
“In connection with the incident, the systems under attack were secured. CSIRT NASK, together with CSIRT MON, supports POLSA in activities aimed at restoring the operational functioning of the agency,” said Poland’s Minister of Digital Affairs, Krzysztof Gawkowski.
“Intensive operational activities are also underway to identify who is behind the cyber attack. We will publish further information on this matter on an ongoing basis.”
However, agency sources speaking with The Register said the cyber attack seems to be linked to internal email compromise and that staff have been instructed to use phones rather than email.
POLSA’s website at the time of writing is also unreachable.
Speaking with Polish media in January, Gawkowski said Poland is the “most attacked country in the European Union when it comes to cyber space incidents”, adding that most cyber attacks came from Russian sources.
He also said that in 2024, Russian state-sponsored hacking group APT28, also known as Fancy Bear, targeted POLSA.
Daniel Croft