FBI Warns that Satellite Communications are coming Under Increased Attack

In a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) the private and public spheres have been warned about increased instances of threat actors targeting satellite communications (SATCOM) companies. Along with the warning the alert has listed several mitigations that can be applied to help protect both the SATCOM provider and their customers.

satellite communications under attack

Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:     

  • The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
  • Network traffic from SATCOM networks to other unexpected network segments.
  • Unauthorized use of local or backup accounts within SATCOM networks.
  • Unexpected SATCOM terminal to SATCOM terminal traffic.
  • Network traffic from the internet to closed group SATCOM networks.
  • Brute force login attempts over SATCOM network segments.

Both providers and customers can implement the following preventative mitigation strategies:

  • Use secure methods for authentication: this includes multifactor authentication where possible, and for all accounts used to access, manage, or administer SATCOM networks.
  • Enforce the principle of least privilege through authorization policies: by minimizing unnecessary privileges less of an attack surface is presented to the attacker to exploit. Privileges regarding access to infrastructure assets should be role-dependent and high-level privileges should be kept to an absolute minimum.
  • Review trust relationships: review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. Both the Kaseya and SolarWinds attack compromised a service provider to compromise the provider’s extensive user base.

Monitor network logs for suspicious activity: to this extent, authorities advise the following:

  • Integrate SATCOM traffic into existing network security monitoring tools.
  • Review logs of systems behind SATCOM terminals for suspicious activity.
  • Ingest system and network-generated logs into your enterprise security information and event management (SIEM) tool.
  • Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
  • Expand and enhance monitoring of network segments and assets that use SATCOM.
  • Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity.
  • Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.

Warning Not Without Incident

While the hacking of satellite communications may on the surface seem to be a great Bond movie plot, the warning is not without incident. On March 11, Reuters published an exclusive detailing how Western intelligence services were in the process of investigating a cyberattack by unidentified hackers that disrupted broadband satellite internet access in Ukraine coinciding with Russia's invasion.

Analysts from the U.S. National Security Agency, French government cybersecurity organization ANSSI, and Ukrainian intelligence told Reuters journalists that they were investigating the matter.

Investigations involve determining whether Russian-backed cyber threat groups had sabotaged a satellite internet provider's services to disrupt vital communications during the Russian invasion of Ukraine.

Communications were severely hampered on February 24 just as Russian forces began targetting Ukrainian infrastructure with guided munitions and cruise missiles. Viasat who owns the affected network not only saw the impact on Ukrainian users but large swathes of other European territories.

Threat actors were capable of disabling modems that communicate with Viasat Inc's KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine.

Two weeks after the attack, some modems remain offline. A Viasat official said a misconfiguration in the “management section” of the satellite network had allowed the hackers remote access into the modems, knocking them offline.

The official said most of the affected devices would need to be reprogrammed either by a technician on-site or at a repair depot and that some would have to be swapped out entirely.

It was not just the modems of users reliant on the service for the Internet and other communications that were affected by the attack. In a separate article Reuters noted that the remote control capabilities of nearly six thousand wind turbines were knocked offline. The wind turbines were mainly located in Central Europe.

At the beginning of February, the  US Office of the Director of National Intelligence (ODNI) published a report titled Annual Threat Assessment of the U.S. Intelligence Community, February 2022, which details the threats faced by the US either via other non-allied states or by organized crime.

States including China, Iran, North Korea, and Russia are examined along with their cyber capabilities. On Russia’s cyber capabilities the report states,

“Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”


“Russia is also using cyber operations to attack entities it sees as working to undermine its interests or threaten the stability of the Russian Government. Russia attempts to hack journalists and organizations worldwide that investigate Russian Government activity and in several instances, has leaked their information.”

While the intelligence agencies mentioned above are investigating possible Russian involvement, the country’s vast network of state-sponsored groups is more than capable of carrying out the attack.

The assessment by ODNI can now add another play to the Russian playbook of carrying out cyberattacks to aid in a ground offensive.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal