The February 24, 2022, cyber attack on US firm Viasat’s KA-SAT satellites in Ukraine led to one of the largest formal attributions of a cyber attack on a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada).
This cyber intrusion, which preceded by a few hours the Russian invasion of its neighbor, was discussed in depth during the second edition of CYSAT, an event dedicated to cyber security in the space industry that took place in Paris, France, on 26 to April 27, 2023. .
AcidRain, as the cyberattack is commonly known, had limited impact on Ukraine’s military operations, as Viasat’s satellites were only used as a backup system. However, there are many lessons we can learn from this, said the Deputy Chairman of the State Service of Special Communications (SSSCIP) of Ukraine, General Oleksandr Potii, during CYSAT.
1. AcidRain exploited a known vulnerability
The attack occurred in three stages, with the attackers first executing a denial of service (DoS) against Internet modems located in Ukraine. This allowed them to break into a ground satellite network running Viasat’s KA-SAT, and operated by Eutelsat subsidiary Skylogic, by exploiting a vulnerability in a Fortinet virtual private network (VPN) . With access to that terrestrial network’s management system, they then deployed malware to wipe the modems’ hard drives, disconnecting them from the KA-SAT network.
In another CYSAT presentation, Clemence Poirier, a researcher at the European Space Policy Institute (ESPI), mentioned that at least one vulnerability that the attackers exploited to carry out the hack, which was in the protocol of the Report technician 069 (TR-069), used for remote management and provisioning of Internet-connected telecommunications terminals: discovered in 2019 in Fortinet VPN terminals and has since been used by Russian threat actors a lot of times.
“If we look at other cyberattacks on telecommunications satellites since the outbreak of war, including repeated attempts by Russian actors to threaten to jam SpaceX’s Starlink terminals, we see many similarities to the Viasat attack” , Poirier said during CYSAT.
“When you look at all the cyberattacks targeting the space industry, most of them originated from a compromised supplier of the alleged victim. The supply chain has become the weakest link in the industry, and cybersecurity companies have been alerting space telecommunications providers for many years. I recommend IOActive’s reports, in which their researchers found vulnerabilities similar to the one used in the Viasat case.”
While he did not provide any forensic details, General Potii acknowledged that the space sector needs to improve its cybersecurity posture. “There are too many unpatched vulnerabilities used in this industry,” he said.
2. Post-incident communication is key
More than a year later, more information about the attack is still missing, Poirier lamented. “There is only a statement from Viasat, but nothing from Eutelsat or Skylogic.”
This limits the scope of forensics, where the only data can be relied upon by threat intelligence providers and security researchers, and hinders better incident response to similar attacks in the future.
“Communication about an attack is often as important as incident response, and a lack of information can make it very malleable,” Poirier added.
3. Cyber security risk in the space sector finally recognized in Europe
According to Poirier, the Viasat attack helped policymakers better recognize that commercial telecommunications satellite systems are easy targets for threat actors, especially during armed conflicts.
However, he added that the improvement was already underway before the Viasat attack and the cyber conflict in Ukraine.
First, the EU began implementing changes to improve the cybersecurity posture of the space industry with the second phase of the Networks and Information Systems Directive (NIS2), proposed in 2021 and adopted in November 2022.
“Within NIS2, space is now considered critical infrastructure for the first time, which will allow regulators to order the space sector to implement more cybersecurity measures,” Poirier said.
While he called this “a good step forward”, he warns that because NIS2 is a directive, it could take a long time to be translated into law in EU member states. So space companies will need the will and a lot of help to comply to see any improvement.
Read more: Threat intelligence: The role of nation-states in attributing cyber attacks
“If you look at all the national space laws today, none require anyone who wants to launch a telecommunications satellite to implement any cybersecurity. So I think every nation state should work to include cybersecurity provisions in their requirements “.
The researcher isn’t the only one arguing that, he said Infosecurity. “BSI, Germany’s cyber security agency, recently published an analysis of threats to cyber security, including in the space sector. I know that France has launched a public consultation to update the 2008 law on space operations and could add more cyber security measures. Even the EU is working on a space law in which cyber security provisions could be included,” he said.
Second, the EU Commission and the EU Space Program Agency (EUSPA) will launch the first space-focused Information Sharing and Analysis Center (ISAC) in 2024, which will also help the private space companies to collaborate on cyber security.
Finally, Poirier noted that IRIS2, the EU’s future multi-orbit constellation, “has been designed with cybersecurity in mind from the start.”
4. Segregation between military and civilian infrastructure
In addition to improving the cybersecurity posture of the entire space industry, nation-states should also begin to better segregate military and civilian infrastructure, Poirier argued at CYSAT.
Today, with the emergence of new space technologies, about 80% of the telecommunications satellites used by the military come from commercial companies.
As these are not always well protected against cyber attacks, they are increasingly attractive targets. “They are even more attractive than military infrastructure, which is used to being attacked and therefore generally better protected. And, at the start of the war in Ukraine, some space companies expressed concern about the lack of a clear process for responding to and reporting an attack,” he said.
5. Building a sovereign satellite telecommunications industry, a new priority for Europe
As mentioned above, a commercial company, Elon Musk’s SpaceX, has played an important role in providing a reliable connection to Ukrainian civilians and military, General Potii said during CYSAT. “SpaceX’s Starlink satellite system helped Ukrainians access emergency and critical services, such as hospitals, fire departments or social services. Today we are working with Starlink representatives in Ukraine to expand capabilities futures of the service”.
However, General Potii did not mention that Elon Musk was not willing to offer this service for free forever. On several occasions in 2022 and early 2023, the billionaire claimed that his company would not be able to maintain funding for Starlink service in Ukraine unless the US military provided tens of millions of dollars in support per month.
“I don’t think the development of national satellites is on Ukraine’s priority list at the moment, but an event like this makes a great case for the EU to have its own constellation,” Poirier concluded .
The recent cyber attack on Viasat’s satellites serves as a stark reminder of how vulnerable our digital infrastructure can be in the face of malicious hackers. While this was a sophisticated attack, there are some crucial lessons to be learned in terms of safeguarding our data and infrastructure. Here are five lessons companies like Ikaroa can learn from the attack:
1. Put strict cyber-security measures in place. Companies should ensure their digital infrastructure is secure, including their website and network. This includes adopting strict policies on firewalls, access control, password management, antivirus, and encryption of data.
2. Have a plan in place to monitor unexpected traffic. Viasat’s attack was detected early due to careful monitoring of unusual traffic. Companies should develop a data monitoring strategy to identify any suspicious activity on their networks.
3. Stay alert and aware of global cyber security threats. Companies should stay up to date on the latest news and developments in cyber security and be aware of potential risks to their networks.
4. Develop a rapid response plan. Having a rapid response plan in place is essential to effectively prevent or stop cyberattacks. Companies should have the capacity to identify and respond quickly to an attack before it causes any major damage.
5. Invest in secure solutions. Companies like Ikaroa should invest in solutions that are designed to help secure their networks and data. These should be regularly updated and tested for any vulnerabilities.
By making sure to adhere to these steps, companies can help protect their networks and satellite systems from malicious attacks.