Space-based assets aren’t immune to cyberattacks

One of the most significant cybersecurity incidents related to Russia’s war on Ukraine was a “multi-faceted” attack against satellite provider Viasat’s KA-SAT network on February 24, one hour before Russia’s invasion began. The assault, which both Ukraine and Western intelligence authorities attribute to Russia, was intended to degrade the Ukrainian national command and control.

However, the attack, which was localized to a single consumer KA-SAT network operated on Viasat’s behalf by another satellite company, a Eutelsat subsidiary called Skylogic, disrupted broadband service to several thousand Ukrainian customers and tens of thousands of other fixed broadband customers across Europe. It also highlighted how space-based assets, such as satellites are as vulnerable to malicious exploitation as any other piece of critical infrastructure.

Against this backdrop, the timing was perfect for the Space Cybersecurity Symposium III hosted by the U.S. National Institute of Standards and Technology (NIST) last week. “The multi-faceted and deliberate cyberattacks which took place during the invasion highlight the need for the United States Government to work with our international partners as well as the private sector to strengthen cyber resilience of existing and future space systems,” said Richard DalBello, director, U.S. Office of Space Commerce, National Oceanic, and Atmospheric Administration, said in kicking off the summit.

“Although the intelligence community and government are focused on the issue, its contribution to an average person’s daily life remains largely invisible in a way that other national security issues such as terrorism, extreme weather events, or even transnational organized crime are not,” Holly Shorrock, intelligence analyst at the U.S. Department of Homeland Security, said.

Space systems face cyber threats

Shorrock explained that any space system consists of three components: ground, space and link segments. “Each of these three segments is vulnerable to cyberattack,” she said. “It may surprise some of you because previous assumptions were that space [systems] are generally isolated from cyber threats. Another assumption was that commercial systems were also somewhat isolated. However, the landscape of space has changed significantly, and now governments and militaries rely on commercial systems, so our understanding of the cyber threat picture has also changed significantly.”

Even though all three components are vulnerable to cyberattacks, the ground and link segments are the most attractive and easiest attack vectors, as they proved to be in the Viasat attack. Launching a cyberattack on assets in space is the attack of last resort, Shorrock said.

Spillover effects are a critical issue

Shorrock told the symposium attendees that if they pay attention to any one thing when it comes to satellite cyberattacks, it’s that they can have damaging spillover effects. “Regardless of which segments are attacked, an attack on a space system located inside of a conflict zone can have spillover effects outside of that zone, away from the area of conflict, impacting businesses and other consumers of space-based services well beyond the conflict’s borders,” she said.

These spillover effects can persist for several weeks or even months after the attack, potentially causing reputational damage to the service provider and raising questions about the reliability of space services. In addition, “The company targeted almost certainly will incur the financial burdens of restoring service, fixing hardware, and otherwise mitigating the attack.”

The spillover from the Viasat attack reportedly stretched to Morocco, with some of the effects lasting for over a month. Shorrock offered the example of a German energy firm that lost remote monitoring and control of 5,800 wind turbines. “More than one month following the cyberattack, 193 wind farms remained disrupted,” she said. “According to the energy firm, this disruption reportedly caused the wind farm data monitoring to be taken offline, rendering the wind-energy converter vulnerable to further attack by cybercriminals or other malicious actors.”

Russia has also launched separate spoofing and jamming attacks against Ukraine

Moscow has resorted to other kinds of satellite attacks, including spoofing and the jamming of signals, since it invaded Ukraine, Shorrock said. “The spoofing of global navigation satellite systems [NSS], of which GPS is one type, is both easy and inexpensive, making it an attractive tactic for criminal organizations and militaries. Russia, in particular, has been publicly associated with this tactic since 2017 and has employed it in the current conflict with Ukraine with documented spillover effects impacting infrastructure and business activities outside of the conflict zone.”

As was true of the Viasat attack, Russia’s spoofing of NSS also created damaging spillover effects. “According to reports in the European Union aviation safety industry, signals such as GPS near the borders of the conflict zone, and in other areas stretching as far as Israel, have been jammed and spoofed throughout the Russia-Ukraine conflict.

 The spillover effects from this jamming and spoofing have impacted the aviation sector, causing some flights to be grounded for up to one week, Shorrock said. “Some aircraft had to reverse course midflight, and in at least one other instance, these spillover effects caused the plane to be unable to safely perform landing maneuvers.”

Russia’s signal jamming has likewise caused damage in Ukraine. “A second company that provides satellite communications in Ukraine reportedly fell victim to Russian jamming of its signals. In that instance, the head of the company publicly stated that the company’s other projects may be delayed due to the company having to divert its resources to counter the electronic attacks,” Shorrock said.

Viasat’s learning experience

Phil Mar, vice president and CTO for government systems at Viasat, said that when NIST last year invited him to speak at the summit, “I was thinking that I would actually use a hypothetical cyber event to set the stage as I have done many times when I speak at a conference like this. I’m always uncomfortable speaking on behalf of what happened to other people. But, as the quote from the musical Hamilton said, I was in the room when this happened. So, I will actually use a real event this time.”

Mar said that early on February 24, Skylogic started experiencing degradations, and, “We observed really high volumes of malicious traffic hitting the networks from several customer’s modems and the associated customer premise equipment.” Viasat and Skylogic personnel worked to push malicious traffic off the network but then began to observe modems dropping off the network.

Ultimately thousands of modems were dropped off the network during the attack with no observed efforts to get them back online. Later network analysis identified ground-based network intrusions exploring various configurations to gain access to the satellite provider’s management segment of the network.

The attack moved unilaterally through the trusted network and to a specific network session the company uses to manage and operate the network. The attack executed targeted commands on a large number of residential modems to override critical data in the flash memory to render the modems unable to access the network.

Viasat’s forensic teams were able to reverse engineer the attack in approximately 24 hours and start the restoration of the networks. “In this particular case, we learned a lot. We learned [what technique would work and what] made us able to restore the network so quickly, and in retrospect, what we can do better.”