Security Experts:

SATCOM Cybersecurity Alert Issued as Authorities Probe Possible Russian Attack

CISA and FBI issue warning over SATCOM cybersecurity

The US Cybersecurity and Infrastructure Security Agency and the FBI on Thursday released a new alert to warn satellite communication (SATCOM) networks about potential cyber threats. The warning comes just as Western intelligence agencies have launched an investigation into attacks — possibly launched by Russia — against satellite internet services.

CISA and the FBI have made a series of recommendations to help SATCOM network providers and customers strengthen cybersecurity.

Network providers have been advised to implement additional monitoring capabilities for anomalous traffic related to SATCOM equipment. They have also been advised to read a recent threat assessment report from the Office of the Director of National Intelligence, which describes the threat posed by Russia to satellites, as well as Moscow’s capabilities.

The agencies have advised SATCOM network providers and customers to use secure authentication methods, enforce a principle of least privilege, review existing trust relationships with IT service providers, implement independent encryption, strengthen software and firmware security, monitor their networks for suspicious activity, and ensure that they have incident response and resilience plans in place.

“CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity,” the agencies said.

The alert comes just days after Reuters reported that the NSA and other intelligence agencies are looking into whether Russian state-sponsored hackers are behind a recent attack on a satellite internet provider.

The cyberattack on the satellite service started on February 24, just as Russia launched its invasion of Ukraine. The attack disabled modems communicating with the Viasat KA-SAT satellite, which provides internet to customers in Ukraine and various other European countries.

Tens of thousands of customers in Europe were left without an internet connection as a result of the incident.

Viasat representatives told Reuters that the attackers leveraged a misconfiguration in the management section of the satellite network for remote access to modems. The modems stopped working and the service provider said the impacted devices would need to be reprogrammed.

One theory is that Russia may have wanted to disrupt satellite internet in an effort to help ground troops by hampering Ukraine’s combat capabilities.

Ruben Santamarta, a cybersecurity expert who has been analyzing satellite communications systems for many years, recently published a blog post providing possible technical explanations regarding how this attack was conducted.

“The attackers likely managed to compromise/spoof a Ground Station, specifically the 'Element Management' section (which likely is sync'ed across gateways), to issue a command by abusing a legitimate control protocol (probably TR-069) that deployed a malicious firmware update to the terminals. For instance, this could have been performed using well-known attacks involving VLANs,” Santamarta explained.

While the recent attack targeted Europe, a US official said last year that China and Russia are launching attacks on government satellites “every single day.”

Following Russia’s invasion of Ukraine, several hacktivist groups have launched attacks against Russia, and one group claimed to have hacked into the control center of the Russian space agency Roscosmos, which led to Russia allegedly losing control over their “spy satellites.” However, the same hacker group has been known to make false statements.

Related: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks

Related: U.S. Issues Fresh Warning Over Russian Cyber Threats as Ukraine Tensions Mount

Related: CISA Again Warns U.S. Organizations of Potential Russian Cyberattacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.