Russia didn’t just attack Ukraine on the ground when it invaded that country on February 24, 2022, it also raided Ukraine’s data connections in space.
On that date, “a multifaceted and deliberate cyber-attack against Viasat’s KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service,” Viasat reported on March 30, 2022.
According to the satellite services provider, “the cyber-attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.”
They included the remote monitoring and control of 5,800 wind turbines owned by Germany's Enercon, with a total capacity of 11 gigawatts.
An after-attack report from Sentinel Labs concluded that “the threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers.
A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of re-flashing or replacing.” Sentinel Labs also reported that the wiper in question was AcidRain, “an ELF MIPS malware designed to wipe modems and routers.”
Conflict-related attacks can hit civilians too
Viasat itself has not confirmed the characterisation of this as a “supply-chain" attack was accurate and maintains that there has been no evidence this was the case, according to a Viasat representative via email.
The attack “primarily impacted the Ukrainian civilian population as they were not able to access reliable information from the government during the conflict,” according to the Cyber Threats section of the CyberPeace Institute website. “The recovery time varied, though some were without internet for two weeks.”
The response: “We worked with the operator to implement immediate updates to stabilise the network and defend against additional tactics,” says Craig Miller, president of Viasat Government Systems.
“Viasat’s in-house cyber expertise and capability is how we were able to maintain the safety and security of the majority of KA-SAT users, as well as initiate a rapid logistical response to get impacted users back online as quickly as possible.”
Satellites are attractive targets for hackers
Beyond providing satellite broadband, space-based communications satellites provide a wide and varied range of services to academic, business, commercial, government, and military users. This makes them an attractive target for hackers with many points of attack, including the satellite’s onboard control software, the data links between them and their Earth stations, and ground-based data networks and equipment such as modems that connect to them.
Although the Viasat KA-SAT malware attack was apparently aimed at blocking internet access to Ukrainian civilians many kinds of cyberattacks make sense concerning space-based data systems.
“My first thought — because of the global impact on commercial and military assets — would be satellite communications attacks on GNSS/GPS navigation signals by jamming, and more the powerful threat of signal spoofing,” says Randall K. Nichols, vice-chair of an Institute of Electrical and Electronics Engineers (IEEE) subcommittee on self-healing systems.
“From an IT point of view, all space vehicles requiring navigation assistance …are essentially SCADA (supervisory control and data acquisition) systems with all the attendant vulnerabilities and subject to a host of IT/cyber/system threats,” he said.
“There have certainly been more cyberattacks against space assets and services, with government and commercial networks defending against threats daily,” Miller says.
“However, the environment everyone is operating in today is different from five, 10, or 15 years ago. Attacks from all types of adversaries are increasing in frequency and sophistication, which means government and commercial networks need to adapt their defenses.”
The danger of ‘dual use’ satellites
Making matters worse is the tendency for many satellites to be ‘dual use’ carriers, in that they provide services that are used by both commercial and military clients.
As such, “US commercial satellites may be seen as legitimate targets in case they are used in the conflict in Ukraine,” reported the Russian state-owned news agency TASS on October 27, 2022.
Speaking before the UN General Assembly’s First Committee, Russian Foreign Ministry official Konstantin Vorontsov threatened that, “Quasi-civil infrastructure may be a legitimate target for a retaliation strike.”
This has certainly been true for SpaceX’s Starlink satellite broadband service in Ukraine. "Some Starlink terminals near conflict areas were being jammed for several hours at a time,” SpaceX CEO Elon Musk said in a Twitter message posted on March 5, 2022. “Our latest software update bypasses the jamming. Am curious to see what’s next!”
Such threats and actions come as no surprise to Laurent Franck, a satellite consultant and ground systems expert with the Euroconsult Group. Whenever a commercial satellite “can be used on a battlefield and used in a war context, it becomes a target,” he says.
As a result, threats like those issued by Russia against US commercial satellites and actual jamming of Starlink terminals are to be expected, especially due to the trend of “space getting militarized.”
“Until recently, the space segment (i.e. spacecraft) were considered to be safe because of their very location in space,” he adds. “This is not true anymore, thanks to the development of dedicated spacecraft meant to inspect/disrupt other spacecraft.”
Coping with Space-Based Threats
There is nothing CSOs can do about military threats against the satellites/satellite services that their companies rely on. But they do have an opportunity to analyse and assess where the weak links in their communications chains are — both within their own enterprises and within third-party satellite services providers — and prepare contingency plans accordingly.
n fact, “it is incumbent on CSOs and senior program management to perform effective risk assessments to reach a legal level of due diligence for their organisations,” Nichols says.
To achieve this level of awareness, it's very, very important to take a full system, end-to-end view of your satellite communications systems,” says Franck Perrin, head of Thales Group’s cybersecurity, platform, and infrastructure division.
This includes every connection point, piece of equipment, and data access point/user interface along the entire signal chain both on Earth and in space.
“The risk analysis will also have to take into consideration the different operational uses that your system may be put to, both for today and in the future.” Backup data routes, both via other satellites and on the ground, should also be planned and ready for switchover at a moment’s notice.
Remember: “The greatest threats to space communication are those that result in the disruption of the ability to communicate, such as through a cyber-attack, disruption of ground infrastructure (gateways and fiber), RF interference, or through direct attacks against the spacecraft,” says Viasat’s Miller.
Moreover, just because cyberattacks are against space-based communications doesn’t mean the satellite/spacecraft itself or ground station infrastructure haven’t been affected or involved as the network itself is often the real target.
“This is not necessarily different from cyber threats that target more traditional communications networks, government agencies, or large commercial providers of other services to disrupt communication or access valuable data or intellectual property information,” Miller says. “With these types of goals, the concern of an insider threat is also possible and something space providers need to be thinking about too.”