Missed Calls for SATCOM Cybersecurity: SATCOM Terminal Cyberattacks Open the War in Ukraine

Unfortunately, IOActive was right. IOActive presciently foresaw the use of cyberattacks against commercial satellite communication (SATCOM) terminals and has worked tirelessly to warn the industry for the last nine years. There have been several credible reports of destructive exploitation of vulnerabilities in commercial SATCOM terminals during the opening hours of the War in Ukraine by Russian elements to prepare the battlefield.^[1],[2],[3]

I’m disappointed that more industry members didn’t heed our warning, which provided ample time to act and mitigate the realization of these threats.

BACKGROUND

IOActive has sponsored several original cybersecurity research projects on commercial SATCOM over the last decade, and with the exception of our most recent work related to Wideye™ SATCOM terminals,^[4] all of the research has been done by Ruben Santamarta.

IOActive has distinguished itself with a commanding body of work related to SATCOM. Our first SATCOM cybersecurity project was completed in 2013, and after several months of coordinated disclosure with the affected vendors, we presented^[5] our findings in 2014 at Black Hat in a talk entitled “SATCOM Terminals Hacking by Air, Sea, and Land.”^[6] In conjunction with this presentation, we published a comprehensive whitepaper entitled “A Wake-up Call for SATCOM Security”^[7] exploring the vulnerabilities and issues in greater detail. As a testament to the ground-breaking nature of this work, Google Scholar shows this paper has been cited 37 times as of March 2022.^[8]

For this research project we reviewed SATCOM terminals from five major vendors used on the INMARSAT^[9] and Iridium^[10] services and found that malicious actors could abuse all of the devices. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks. We concluded that this research “should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology.” We did have one major user of these services engage with us to understand the risk it posed to their global operations. We wish we were able to help more organizations during this time period.

As the consequences of our findings were largely ignored within the industry and amongst those who rely upon such commercial SATCOM services, IOActive sponsored a follow-up research project called “Last Call for SATCOM Security,”^[11] which we presented^[12] at Black Hat in 2018.^[13] We discovered vulnerabilities that affect the aviation, maritime, and military industries including backdoors, insecure protocols, and network misconfigurations. We identified hundreds of vulnerable systems on aircraft, maritime vessels, and units used by the military in active conflict zones disclosing detailed geolocation data. The paper and talk’s title clearly challenged the industry to do something about these pervasive cybersecurity issues before it was too late.

Stakeholders were more open to the second body of research, even though some sectors pushed back on the conclusions despite the irrefutable, concrete code examples IOActive provided. Some small groups listened very thoughtfully and carefully before they began to take action to manage the risks they and their users faced. Unfortunately, this type of proactive approach was not a common response to our research.

In January 2022, a little more than three years after the publication of our second body of research, the U.S. National Security Agency (NSA) issued a rare public Cybersecurity Advisory^[14] urging operators to protect commercial Very Small Aperture Terminals (VSATs), since they are “increasingly used for remote communications in support of U.S. government missions.” In the Works Cited section of the advisory, the only vulnerability research cited was IOActive’s “Last Call for SATCOM Security” presentation. It is difficult to receive a higher accolade in the world of SATCOM for your cybersecurity research. Congratulations to the NSA for pushing this advisory out prior to the exploitation of SATCOM terminals in Ukraine.

Most recently, on 17 March 2022, the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory related to SATCOM security titled “Strengthening Cybersecurity of SATCOM Network Providers and Customers.”^[15] This document provides guidance on how to improve the security posture of SATCOM systems. We urge everyone to take this guidance very seriously.

RECENT SATCOM TERMINAL ATTACKS IN EUROPE

The Reuters piece does a good job of covering what’s publicly known about the attacks.^[16] Ruben has posted a great technical blog^[17] analyzing the likely technical attack vectors based upon currently available open-source information.

Unfortunately, our second piece of research was more controversial, since it challenged the widespread, sacrosanct belief held by most members of the aviation industry that they have identified and appropriately mitigated all risks to safety. Unquestionably, they have done an exceptional job for passive and natural threats; however, within aviation and aerospace industries, there is significantly more work to be done to properly manage active threats to safety from highly motivated, competent, and sophisticated threat actors such as the one who bricked thousands of SATCOM terminals on 24 February 2022.

Hypotheses on Threat Actor Identity

While there is no clear public evidence as to the identity of the threat actor responsible for the SATCOM terminal attack, informed analysis of open sources can provide a working hypothesis for potential threat actors. To strongly confirm the hypothesis, one would need to gather secret intelligence via human intelligence (HUMINT) sources such as a penetration or through active or passive signals intelligence (SIGINT). Forensic analysis of the malware used in the attack could yield technical evidence to tie the cyberattack to the responsible group through their operational infrastructure. Alternately, some years in the future, we may see the unit and even team members publicly recognized for their contribution to the ground-breaking cyberattack that opened the War in Ukraine. It was a bright spot in a campaign that has otherwise highlighted the inadequacies of the Russian armed forces.^[18]

Prima facie, one would expect an element of Russian military intelligence to support the Russian armed forces through cyber operations. This is a very logical, reasonable starting position. This is the current theory floated by a source in the U.S. intelligence community to the Washington Post.^[19] However, there is no desire to make a high-confidence, public attribution at this time. Looking for additional evidence as to whether they have the capability and capacity to do this in the absence of specific evidence from the attack helps support this hypothesis. GRU cyber elements have a history of successful attacks on critical infrastructure in Ukraine, which demonstrates they have the capability and capacity to successfully target operational technology with consequential effects.^[20]

An alternate Russian-government-affiliated advanced persistent threat (APT) group, Turla^[21] (affiliated with the FSB^[22]), is another potential candidate. They have been linked to prior, sophisticated use of SATCOM in espionage activities.^[23],[24] In addition, they have a track record of innovation, including adapting new TTPs, like living off the land, to improve their evasion capabilities and protect their operational security.^[25] In addition, their targets generally align with Russian strategic interests, and supporting the creation of a neutral buffer space in Ukraine between their border and NATO member states is among the most important interests of the Russian nation.

Finally, there’s a third hypothesis involving some sort of collaboration between different Russian special services. While there have been indications of toolchain sharing or joint operations between cyber elements of Russian special services in the SolarWinds incident,^[26] it is not clear from public information whether this was due to a formal joint operation or an admixture of personnel over time.

Interested parties should look for further confirmatory and contradictory evidence to prove or disprove these hypotheses.

Future Cyberattacks on SATCOM

Regrettably, we are in a new era with a significantly increased probability of additional SATCOM cyberattacks. Fortunately, we may not see another destructive cyberattack like we saw last month in Ukraine for some time, but clandestine exploitation in support of intelligence and espionage operations is more likely. Unfortunately, this very public example of a successful cyberattack on SATCOM will increase interest amongst those threat actors with the capability and capacity to develop weaponized SATCOM exploits and lower the inhibition for the use of those exploits amongst those threat actors who have them in inventory.

ACT NOW

While disappointing that it took real-world attacks for a wake-up call to be realized, it’s not too late for all members of the industry to take these threats to heart and finally address the underlying issues. We emphasize that if an organization offering or using SATCOM services hasn’t acted on these risks yet, they must do so quickly. We’ll share some general thoughts about on how to start.

SATCOM Providers

SATCOM providers can do the most to manage cybersecurity risk. The following is some general guidance:

1. Avoid groupthink and the problems of checking one’s own work. Engage a competent third party to perform independent validation and verification of your cybersecurity posture.
2. Ensure you are getting regular assessments of your cybersecurity posture, including:
   1. Daily or weekly vulnerability scans
   2. Quarterly penetration testing
   3. Regular full-spectrum, Red Team engagements
3. Support your Security Operations Center (SOC) team members with additional training, including Purple Team engagements.
4. Ensure any devices used on your network or service have been tested by a competent third-party assessor with deep experience in embedded device security.
5. If you manufacture devices, ensure your developers have cybersecurity training to include threat modeling, secure coding, and embedded device security.
6. Develop an operational resiliency plan to respond to cyberattacks and minimize the impacts of such incidents.
7. Retain an incident response firm in preparation for any compromise.

SATCOM Users

Here’s a short action list for users:

1. Understand the details of the SATCOM services your organization uses.
2. Understand the business criticality and impact if these services are affected.
3. Ask your provider(s) to supply proof they are taking prudent steps to protect their service and their clients. (Service and terminal providers will likely be different entities.)
   1. Ask for summary reports of their third-party network penetration testing.
   2. Ask for summary reports of their third-party terminal device penetration testing.
4. Evaluate switching to a SATCOM provider who is able to demonstrate they are prudently addressing these concerns.
5. Develop plans for containment and operational resiliency should you experience an attack.
6. Retain an incident response firm in preparation for any compromise.

Finally, if you’re an organization offering or using SATCOM services, we are happy to have a confidential chat with you to help you develop a customized course of action appropriate to your specific circumstances.

THANKS

I would like to extend a thank you to those who took these issues seriously over the last nine years. I know some were unable to convince their senior leadership to act, but it was most certainly not due to a lack of effort.

 

---