In a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) the private and public spheres have been warned about increased instances of threat actors targeting satellite communications (SATCOM) companies. Along with the warning the alert has listed several mitigations that can be applied to help protect both the SATCOM provider and their customers.
Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
- The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
- Network traffic from SATCOM networks to other unexpected network segments.
- Unauthorized use of local or backup accounts within SATCOM networks.
- Unexpected SATCOM terminal to SATCOM terminal traffic.
- Network traffic from the internet to closed group SATCOM networks.
- Brute force login attempts over SATCOM network segments.
Both providers and customers can implement the following preventative mitigation strategies:
- Use secure methods for authentication: this includes multifactor authentication where possible, and for all accounts used to access, manage, or administer SATCOM networks.
- Enforce the principle of least privilege through authorization policies: by minimizing unnecessary privileges less of an attack surface is presented to the attacker to exploit. Privileges regarding access to infrastructure assets should be role-dependent and high-level privileges should be kept to an absolute minimum.
- Review trust relationships: review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. Both the Kaseya and SolarWinds attack compromised a service provider to compromise the provider’s extensive user base.
Monitor network logs for suspicious activity: to this extent, authorities advise the following:
- Integrate SATCOM traffic into existing network security monitoring tools.
- Review logs of systems behind SATCOM terminals for suspicious activity.
- Ingest system and network-generated logs into your enterprise security information and event management (SIEM) tool.
- Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
- Expand and enhance monitoring of network segments and assets that use SATCOM.
- Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity.
- Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
Warning Not Without Incident
While the hacking of satellite communications may on the surface seem to be a great Bond movie plot, the warning is not without incident. On March 11, Reuters published an exclusive detailing how Western intelligence services were in the process of investigating a cyberattack by unidentified hackers that disrupted broadband satellite internet access in Ukraine coinciding with Russia's invasion.
Analysts from the U.S. National Security Agency, French government cybersecurity organization ANSSI, and Ukrainian intelligence told Reuters journalists that they were investigating the matter.
Investigations involve determining whether Russian-backed cyber threat groups had sabotaged a satellite internet provider's services to disrupt vital communications during the Russian invasion of Ukraine.
Communications were severely hampered on February 24 just as Russian forces began targetting Ukrainian infrastructure with guided munitions and cruise missiles. Viasat who owns the affected network not only saw the impact on Ukrainian users but large swathes of other European territories.
Threat actors were capable of disabling modems that communicate with Viasat Inc's KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine.
Two weeks after the attack, some modems remain offline. A Viasat official said a misconfiguration in the “management section” of the satellite network had allowed the hackers remote access into the modems, knocking them offline.
The official said most of the affected devices would need to be reprogrammed either by a technician on-site or at a repair depot and that some would have to be swapped out entirely.
It was not just the modems of users reliant on the service for the Internet and other communications that were affected by the attack. In a separate article Reuters noted that the remote control capabilities of nearly six thousand wind turbines were knocked offline. The wind turbines were mainly located in Central Europe.
At the beginning of February, the US Office of the Director of National Intelligence (ODNI) published a report titled Annual Threat Assessment of the U.S. Intelligence Community, February 2022, which details the threats faced by the US either via other non-allied states or by organized crime.
States including China, Iran, North Korea, and Russia are examined along with their cyber capabilities. On Russia’s cyber capabilities the report states,
“Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”
“Russia is also using cyber operations to attack entities it sees as working to undermine its interests or threaten the stability of the Russian Government. Russia attempts to hack journalists and organizations worldwide that investigate Russian Government activity and in several instances, has leaked their information.”
While the intelligence agencies mentioned above are investigating possible Russian involvement, the country’s vast network of state-sponsored groups is more than capable of carrying out the attack.
The assessment by ODNI can now add another play to the Russian playbook of carrying out cyberattacks to aid in a ground offensive.