The US Cybersecurity and Infrastructure Security Agency and the FBI on Thursday released a new alert to warn satellite communication (SATCOM) networks about potential cyber threats. The warning comes just as Western intelligence agencies have launched an investigation into attacks — possibly launched by Russia — against satellite internet services.
CISA and the FBI have made a series of recommendations to help SATCOM network providers and customers strengthen cybersecurity.
Network providers have been advised to implement additional monitoring capabilities for anomalous traffic related to SATCOM equipment. They have also been advised to read a recent threat assessment report from the Office of the Director of National Intelligence, which describes the threat posed by Russia to satellites, as well as Moscow’s capabilities.
The agencies have advised SATCOM network providers and customers to use secure authentication methods, enforce a principle of least privilege, review existing trust relationships with IT service providers, implement independent encryption, strengthen software and firmware security, monitor their networks for suspicious activity, and ensure that they have incident response and resilience plans in place.
“CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity,” the agencies said.
The alert comes just days after Reuters reported that the NSA and other intelligence agencies are looking into whether Russian state-sponsored hackers are behind a recent attack on a satellite internet provider.
The cyberattack on the satellite service started on February 24, just as Russia launched its invasion of Ukraine. The attack disabled modems communicating with the Viasat KA-SAT satellite, which provides internet to customers in Ukraine and various other European countries.
Tens of thousands of customers in Europe were left without an internet connection as a result of the incident.
Viasat representatives told Reuters that the attackers leveraged a misconfiguration in the management section of the satellite network for remote access to modems. The modems stopped working and the service provider said the impacted devices would need to be reprogrammed.
One theory is that Russia may have wanted to disrupt satellite internet in an effort to help ground troops by hampering Ukraine’s combat capabilities.
Ruben Santamarta, a cybersecurity expert who has been analyzing satellite communications systems for many years, recently published a blog post providing possible technical explanations regarding how this attack was conducted.
“The attackers likely managed to compromise/spoof a Ground Station, specifically the ‘Element Management’ section (which likely is sync’ed across gateways), to issue a command by abusing a legitimate control protocol (probably TR-069) that deployed a malicious firmware update to the terminals. For instance, this could have been performed using well-known attacks involving VLANs,” Santamarta explained.
While the recent attack targeted Europe, a US official said last year that China and Russia are launching attacks on government satellites “every single day.”
Following Russia’s invasion of Ukraine, several hacktivist groups have launched attacks against Russia, and one group claimed to have hacked into the control center of the Russian space agency Roscosmos, which led to Russia allegedly losing control over their “spy satellites.” However, the same hacker group has been known to make false statements.
Related: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks
Related: U.S. Issues Fresh Warning Over Russian Cyber Threats as Ukraine Tensions Mount
Related: CISA Again Warns U.S. Organizations of Potential Russian Cyberattacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
