Security Experts:

Connect with us

Hi, what are you looking for?



SATCOM Cybersecurity Alert Issued as Authorities Probe Possible Russian Attack

CISA and FBI issue warning over SATCOM cybersecurity

CISA and FBI issue warning over SATCOM cybersecurity

The US Cybersecurity and Infrastructure Security Agency and the FBI on Thursday released a new alert to warn satellite communication (SATCOM) networks about potential cyber threats. The warning comes just as Western intelligence agencies have launched an investigation into attacks — possibly launched by Russia — against satellite internet services.

CISA and the FBI have made a series of recommendations to help SATCOM network providers and customers strengthen cybersecurity.

Network providers have been advised to implement additional monitoring capabilities for anomalous traffic related to SATCOM equipment. They have also been advised to read a recent threat assessment report from the Office of the Director of National Intelligence, which describes the threat posed by Russia to satellites, as well as Moscow’s capabilities.

The agencies have advised SATCOM network providers and customers to use secure authentication methods, enforce a principle of least privilege, review existing trust relationships with IT service providers, implement independent encryption, strengthen software and firmware security, monitor their networks for suspicious activity, and ensure that they have incident response and resilience plans in place.

“CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity,” the agencies said.

The alert comes just days after Reuters reported that the NSA and other intelligence agencies are looking into whether Russian state-sponsored hackers are behind a recent attack on a satellite internet provider.

The cyberattack on the satellite service started on February 24, just as Russia launched its invasion of Ukraine. The attack disabled modems communicating with the Viasat KA-SAT satellite, which provides internet to customers in Ukraine and various other European countries.

Tens of thousands of customers in Europe were left without an internet connection as a result of the incident.

Viasat representatives told Reuters that the attackers leveraged a misconfiguration in the management section of the satellite network for remote access to modems. The modems stopped working and the service provider said the impacted devices would need to be reprogrammed.

One theory is that Russia may have wanted to disrupt satellite internet in an effort to help ground troops by hampering Ukraine’s combat capabilities.

Ruben Santamarta, a cybersecurity expert who has been analyzing satellite communications systems for many years, recently published a blog post providing possible technical explanations regarding how this attack was conducted.

“The attackers likely managed to compromise/spoof a Ground Station, specifically the ‘Element Management’ section (which likely is sync’ed across gateways), to issue a command by abusing a legitimate control protocol (probably TR-069) that deployed a malicious firmware update to the terminals. For instance, this could have been performed using well-known attacks involving VLANs,” Santamarta explained.

While the recent attack targeted Europe, a US official said last year that China and Russia are launching attacks on government satellites “every single day.”

Following Russia’s invasion of Ukraine, several hacktivist groups have launched attacks against Russia, and one group claimed to have hacked into the control center of the Russian space agency Roscosmos, which led to Russia allegedly losing control over their “spy satellites.” However, the same hacker group has been known to make false statements.

Related: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks

Related: U.S. Issues Fresh Warning Over Russian Cyber Threats as Ukraine Tensions Mount

Related: CISA Again Warns U.S. Organizations of Potential Russian Cyberattacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.