Notes from the Underground: Information operation targeting Elon Musk and SpaceX

Hacker leaks alleged emails, manifesto critical of spaceflight company.

Backchannel’s "Notes from the Underground” series aims to provide a spotlight on the cybercriminal underground by featuring interesting artifacts curated from threat actors. Content in this post may reflect the words and intentions of the threat actor, not Backchannel. 

The content in this post has all the makings of a disinformation operation, and we cannot independently validate what motives it serves.

---

Today around 15:00 UTC, Backchannel’s collection system observed an interesting post on an underground hacking forum. The author linked a compressed download without a paywall, and alleged it was related to SpaceX, the private space exploration company founded and run by Elon Musk.

Screenshot of the original post on the underground forum. Source: Backchannel Intelligence.

The post caught our interest for several reasons:

• It was not distributed behind a paywall. Higher quality content on this particular forum typically makes use of the onsite currency to deter non-contributors.

• The account was newly created.

• It’s SpaceX! And space is cool.

What follows is a brief analysis of what appears to be an information operation targeting Elon Musk and SpaceX, constructed with the likely motive of disparaging the founder’s reputation as well as the relationship between NASA and SpaceX for mission procurements.

Materials

The alleged leak consists of several emails exported as .pdf, and a .docx with a written manifesto against Musk. These are compressed in a .7z zip file.

Screenshot of the alleged leak file structure. Source: Backchannel Intelligence.

The emails are exported from what looks to be a Microsoft Outlook system. Their contents appear to be conversations between members of the United Launch Alliance, a spaceflight services provider and competitor with SpaceX for NASA procurements.

Contents

The alleged leak contains a series of comments critical of Elon Musk and SpaceX. Some of these comments are made by what is presented to be the private emails of ULA executives. The bulk of the content is made up by a manifesto titled “Elon Musk: Friend to China, Enemy of Democracy.”

Screenshot of one of the alleged emails between ULA and IAM representatives.

The manifesto contains a bulleted list of mostly open source information, presented in a fashion that implies that some sort of conspiracy is being committed by Musk. The document is brokered into sections:

• “Musk & Trump”: a series of interactions between Musk and the Trump administration are presented, and the claim is made that Musk’s opinions against lockdowns during the COVID-19 pandemic were indirect nods of support to the Trump administration.

• “Political Giving”: A table of political contributions over the last 5 years. The table is likely sourced from Open Secrets. A point of interest here is that all the Democrats who Musk has contributed to in reality are omitted, leaving only Republican recipients in this document.

• “Misinformation & Anti-Government Rhetoric”: This section relays a series of political comments made by Musk, and implies a rivalry between Facebook and Musk. It also obtusely points out that “WeChat is installed in Tesla vehicles”.

• “Worker’s Rights”: This section contains mostly open-source reporting about various labor conditions and claims by Tesla and SpaceX employees.

• “China”: This section paints Elon as a supporter of the Chinese Community Party and their interests.

As for the allegedly leaked emails, they appear to primarily be correspondences between two individuals: 

• Robbie Sabethier, a VP at United Launch Alliance

• Hasan Solomon, a lobbyist at the International Assoc. of Machinists and Aerospace Workers, the “largest Defense, Aerospace and Transportation union in North America.”

While the conversations depicted are likely not atypical for being aerospace industry lobbyists, there is no way to verify that these communications are authentic.

Operation Timeline

VirusTotal lists that the .docx was first observed Tuesday at 18:07 UTC. The .7z file more or less appeared on VirusTotal at the same time. Exiftool output on the files indicates that they were created around 14:00 UTC. The timestamps in the alleged emails state send dates between April and May 2021.

Searches for the alleged leak content on various social media sites did not yield results. This may indicate that this operation is in its infancy.

Origin

There are a few artifacts that may indicate the origin of the operation.

• PDF objects in the emails indicate that the .docx was included as an attachment on at least one of the emails in the alleged leak.

• While the content of the emails cannot be verified, the PDFs are consistent with the object artifacts that would be present from a PDF export from an Outlook email.

• In the emails alleged to be sent from a ULA employee, the URLs are masked with a Proofpoint security URL. Proofpoint is a known vendor for ULA email security.

Conclusion

There are a few possibilities as to why this operation is being conducted:

Table charting possible motives behind this information operation. Source: Backchannel Intelligence.

Some notes that follow the logic of these possibilities:

• (1) Seems unlikely, as it would involve either the ULA or IAM to leak their own emails.

• (2) Would require the leaker to somehow access the ULA and IAM emails.

• (3) and (4) would likely entail forging emails. Since the content here is neither explosive or scandalous, it is strange that great lengths to make convincing forgeries would be undertaken.

• In both (1) and (2) it is possible that there is a slight benefit to SpaceX, as the optics portray their company as being targeted/under attack.

Ultimately, we will need to continue to monitor for more developments in this case. It would not be the first time that Elon Musk has been a target of disinformation, nor the first time for SpaceX.