Featured Image Source:  NASA

In the current climate created by the viable threat of a Russian cyberattack on the U.S., if you are preparing your organization or your individual household to mitigate risk, please see OODA CTO Bob Gourley’s Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory.  In the post, Bob itemizes OODA recommendations for:

• Large Businesses/Large Federal Government Agencies
• Small To Mid-Sized Businesses/State and Local Governments;  and
• Individuals

Following President Biden’s statement yesterday that he has indications that the Russians are targeting our national infrastructure for a possible cyberattack, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger took to the podium to announce that U.S. Intelligence continues to investigate the Feb 24th hack of a European satellite company, Viasat, which provides internet connectivity to Europe, including the Ukrainian government and military.

On March 21st, we first reported (in the OODA Daily Pulse via Reuters) that British intelligence is warning of satellite communications risks after the Ukraine hack, which followed the March 18th report of  the FBI and CISA warning over threats to satellite communications networks:  “U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) [have issued] a joint statement which warned of the “possible threats to U.S. and international satellite communication (SATCOM) networks in the wake of the attack.”

Summary:    – Strengthening Cybersecurity of SATCOM Network Providers and Customers

Following is a summary of the joint CISA/FBI cyber advisory (Original release date: March 17, 2022):

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.

Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity. To that end, CISA and FBI will update this joint Cybersecurity Advisory (CSA) as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.

CISA and FBI strongly encourage critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity. (1)

Click here for a PDF version of this report.

Video:  Viasat Chairman Mark Dankberg on CNBC recently addressing the cyberattack on Viasat’s European satellite operations (March 21, 2022)

From the Initial Report by Reuters on the Viasat Hack (March 11th, 2022)

On Friday, March 11th, Reuters reported that:

• Timed around the Initial Russian attacks on Ukraine: Western intelligence agencies are investigating a cyberattack by unidentified hackers that disrupted [Viasat] broadband satellite internet access in Ukraine coinciding with Russia’s invasion, according to three people with direct knowledge of the incident.  The digital blitz on the satellite service began on Feb. 24 between 5 a.m. and 9 a.m., just as Russian forces started going in and firing missiles, striking major Ukrainian cities including the capital, Kyiv.
• Connectivity Still Down Since Initial Attack:    Viasat said in a statement that the disruption for customers in Ukraine and elsewhere was triggered by a “deliberate, isolated and external cyber event” but has yet to provide a detailed, public explanation of what happened.  The hackers disabled modems that communicate with Viasat Inc’s KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later some remain offline, resellers told Reuters.
• Attribution Efforts Ongoing:  Analysts for the U.S. National Security Agency, French government cybersecurity organization ANSSI, and Ukrainian intelligence are assessing whether the remote sabotage of a satellite internet provider’s service was the work of Russian-state-backed hackers preparing the battlefield by attempting to sever communications.  In the press briefing yesterday,  Neuberger provided an update on these attribution efforts by the U.S. IC:  “We have not yet attributed that attack, but we’re carefully looking at it because… of the impact not only in Ukraine, but also in satellite communication systems in Europe as well.  There certainly are factors that we’re looking at carefully as we look at who is responsible.” (2)
• Viasat is a Defense Contractor to U.S. and Europe:  What appears to be one of the most significant wartime cyberattacks publicly disclosed so far has piqued the interest of Western intelligence because Viasat acts as a defense contractor for both the United States and multiple allies.  Government contracts reviewed by Reuters show that KA-SAT has provided internet connectivity to the Ukrainian military and police units.
• “Management Section” Misconfiguration?:  The Viasat official said a misconfiguration in the “management section” of the satellite network had allowed the hackers remote access into the modems, knocking them offline. He said most of the affected devices would need to be reprogrammed either by a technician on site or at a repair depot and that some would have to be swapped out.  The Viasat official wasn’t explicit about what the “management section” of the network referred to and declined to provide further details. KA-SAT and its associated ground stations, which Viasat purchased last year from European company Eutelsat, are still operated by a Eutelsat subsidiary.  Viasat has hired U.S. cybersecurity firm Mandiant, which specializes in tracking state-sponsored hackers, to investigate the intrusion, according to two people familiar with the matter.
• Recent Google Acquisition/Cybersecurity Outfit Mandiant is on the Job:  Viasat has hired U.S. cybersecurity firm Mandiant, which specializes in tracking state-sponsored hackers, to investigate the intrusion, according to two people familiar with the matter.  (3)

OODA Loop contributor Emilio Iasiello provides a full analysis of attribution efforts and the current state of satellite security in his recently posted Cyber Attack Against Satellite Calls into Question Satellite Security.

What Next? Mitigations Recommended by Joint CISA/FBI Cyberadvisory

CISA and FBI strongly encourage critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:

Mitigations for SATCOM Network Providers

• Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
  • The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
  • Network traffic from SATCOM networks to other unexpected network segments.
  • Unauthorized use of local or backup accounts within SATCOM networks.
  • Unexpected SATCOM terminal to SATCOM terminal traffic.
  • Network traffic from the internet to closed group SATCOM networks.
  • Brute force login attempts over SATCOM network segments.
• See the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment of the U.S. Intelligence Community, February 2022 for specific state-sponsored cyber threat activity relating to SATCOM networks.

Mitigations for SATCOM Network Providers and Customers

• Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks.
  • Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines.
  • Do not use default credentials or weak passwords.
  • Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
• Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
• Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
  • Remove unnecessary trust relationships.
  • Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged:
    • Security controls the customer deems appropriate.
    • Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
    • Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
    • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
• Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications for guidance.
• Strengthen the security of operating systems, software, and firmware.
  • Ensure robust vulnerability management and patching practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA’s living catalog of known exploited vulnerabilities. These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities.
  • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
• Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Integrate SATCOM traffic into existing network security monitoring tools.
  • Review logs of systems behind SATCOM terminals for suspicious activity.
  • Ingest system and network-generated logs into your enterprise security information and event management (SIEM) tool.
  • Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
  • Expand and enhance monitoring of network segments and assets that use SATCOM.
  • Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity.
  • Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
• Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Further Resources:

Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory

Cyber Attack Against Satellite Calls into Question Satellite Security

A direct link to the CISA/FBI Joint Cyberadvisory:  US-CERT Alert (AA22-076A):  Strengthening Cybersecurity of SATCOM Network Providers and Customers | CISA

Recent Updates from the CISA Shields Up! Initiative:

• Statement by President Biden on our Nation’s Cybersecurity
• White House Fact Sheet: Act Now to Protect Against Potential Cyberattacks
• Strengthening Cybersecurity of SATCOM Network Providers and Customers
• Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability
• Updated: Conti Ransomware Cybersecurity Advisory
• Shields Up Technical Guidance
• UPDATED: Known Exploited Vulnerabilities Catalog

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Open-Source Intelligence Resources

The USGS 2022 List of Critical Minerals:  Moody’s Analytics economist Tim Uy wrote in a recent report:  “The greatest risk facing global supply chains has shifted from the pandemic to the Russia-Ukraine military conflict and the geopolitical and economic uncertainties it has created.”  Our recent “Warning for the U.S. Chip Industry: Russian Retaliation Could Hit Supply of Key Materials” provided a breakdown of the Russian and Ukraine-source material critical to the semiconductor manufacturing process (Neon, Palladium, etc.). In February, The US Geological Survey released the 2022 List of Critical Minerals. Palladium and Scandium are included in the USGS list.

The UNHRC Operational Data Portal – Ukrainian Refugees:  The Human Rights Council is an inter-governmental body within the United Nations system responsible for strengthening the promotion and protection of human rights around the globe and for addressing situations of human rights violations and making recommendations on them. The Operational Data Portal (ODP) was created in 2011 to enable UNHCR’s institutional responsibility to provide any information and data-sharing platform to facilitate the coordination of refugee emergencies.

Bellingcat and the Russia-Ukraine Monitor Map:  Bellingcat (an innovative open-source investigative journalism network and business model) has been in our research arsenal for a while  – ripe for a post to introduce our readers to their tools, investigations, and innovative approach to networked journalism.   The war in Europe has now put Bellingcat in the spotlight, based on the growing popularity of their crowdsourced mapping and monitoring efforts.

Additional Research and Analysis On Ukraine

Russian Use of Battlefield Weapons of Mass Destruction:  Since the early-2000s, an aberrant military doctrine unique to the Russian military has emerged: the use of weapons of mass destruction on a battlefield. The doctrine focuses on tactical-level weapons able to generate massive amounts of firepower to bring about surrender. Weaponized chemical or low-yield nuclear weapons, rather than fall into a special category (or to comply with the fact that one is internationally banned) instead are designed for battlefield use available as an option for warfighting and are justified in terms of an oscillating pair of strategic goals. Chris Flaherty provides a history of the doctrine and its potential impact in Ukraine.

Russia Faces IT Crisis With Only Two Months of Data Storage Capacity Available:  Within two months, Russia will run out of data storage capabilities (for their government and public sector information technology operations) after Western IT service providers pulled their cloud computing capabilities out of the country.

The February 2022 OODA Network Member Meeting: Topics Included Crypto Innovation, Security and Regulation and the Lead Up to Putin’s War:  To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

Why Hasn’t Russia Used More Destructive Cyber Attacks Against Ukraine?:  The malware that has surfaced in the Ukraine conflict has not been the most advanced, an odd development that has raised questions among security professionals. Once committed to a kinetic invasion, a logical presumption would be that more robust cyber weaponry would be deployed to match Russia’s military might to quickly subdue Ukraine. But two weeks into the conflict, the attacks that have transpired have been anything but extraordinary.

We Are In The First Open Source Intelligence War:  We are witnessing the world’s first war where open-source intelligence is providing more actionable insights than classified sources. Here are views on what this shift means for governments, businesses, NGOs, and Citizens.

What The C-Suite Needs To Know About The Annual Threat Assessment of the US Intelligence Community:  Every year the US intelligence community produces a succinct report designed to provide a high-level overview of threats. This is issued to coincide with testimony by the Director of National Intelligence and the biggest agencies of the IC, CIA, DIA, NSA, and FBI.  This year’s report follows the theme that the world is growing in complexity and uncertainty. This complexity and uncertainty occur in an interconnected world where great power competition is clearly underway.

Dr. Scott Shumate Profiles Russian President Vladimir Putin:  This OODAcast is a special edition focused on profiling Russian President Vladimir Putin with Dr. Scott Shumate, who has over 30 years of experience evaluating national leaders, terrorists, spies, and insiders.  Scott shares his unique perspective’s on Putin informed by his extensive experience and insight. Is Putin suicidal? Is he a rational actor? Will he escalate to cyber-attacks? These questions and more are discussed with Dr. Shumate.  Here are the major takeaways from the interview to inform your perspective:  The Putin Profile: Takeaways from our Interview with a CIA, FBI, and Military Psychologist.

Ukraine-Russia War Threat to Space Security Update –  The space security and space war aspects of the current Russian invasion of Ukraine have manifested in various ways since the beginning of the war. However, it was preceded by months of build-up, as massive military vehicle parks were created at various places along the Russian and Belarusian borders – all viewed from space.  The following is an overview list of the various issues that have arisen since the inception of the conflict.

A No-Hype Assessment on Starlink Security: Starlink is a great system, but it was not designed for combat and has limitations when being used in this role. Many mitigation measures are in place that can make it harder on adversaries to exploit these limitations. This post reviews provides insights onto these mitigation measures.

The OODA C-Suite Report: Operational Intelligence for Decision-MakersWhat is the value of an informed decision? At OODA Loop, we seek to surface decision intelligence that provides meaningful perspective for leaders and analysts looking to make the most informed decisions possible. The topics examined in this assessment represent developments that fit the category of operating in a VUCA world, identifying and responding to Gray Rhino risks, or opportunities from advancements in emerging technology domains. These are issues we think our members should be tracking and map to collection requirements for our team to keep you as informed as possible.

John Boyd on Patterns of Conflict and the OODA Loop John Boyd studied. He studied fighter pilot tactics, studied aeronautical engineering, studied bureaucrats and how to avoid their traps, studied evolution and biology, and studied history. And Boyd synthesized in a way that only a real practitioner of war could to produce a briefing called Patterns of Conflict that is still having a big impact on the world today.This post summarizes some key points worth reflecting on as the world views and reacts to the Russian invasion of Ukraine.

Thinking Strategically About What Comes Next and How To Mitigate Risk As we have previously mentioned, the Russian aggression against Ukraine will have impacts far beyond the region. All companies and all government organizations (including those at local and state levels) should evaluate the potential impact of these hostilities on operations. We are a nation interconnected with the world by complex supply chains and a global high speed internet and must be ready to deal with impacts.

Twitter List For Tactical Information: This Twitter list of vetted resources that have reported accurately on tactical moves in the Ukrainian theater can be used to quickly capture the gist of a dynamic military situation.

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine: The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure. This post goes beyond an articulation of the threat into recommendations leaders seeking to mitigate cyber threats from Russia including threats before, during and after a Ukraine invasion.

What The C-Suite Needs To Know About The Threat To Space Based Systems (and what to do about it): OODA recently updated the analysis below on threats to space based assets (with a focus on what the C-Suite needs to know) because of tensions with Russia and continued testing of satellite destruction capabilities the most recent of which (Nov 2021) caused significant increases in dangerous space debris.  We recommend this be read in conjunction with our report on what the C-Suite needs to know about the cybersecurity threats due to the coming Russian invasion of Ukraine, see links in the document for more.

Will China Replicate Russia’s Cyber Offensives in a Taiwan Reunification?: The current situation in the Ukraine has garnered the world’s attention with stakeholders watching attentively as the crisis unfolds. Such regional hotspots have the potential of spilling over into neighboring countries and pulling in governments from all over the world in some capacity. The threat of armed conflict escalating into a major global engagement is always a possibility. China and Taiwan are eagerly watching the crisis as well, but largely for different reasons. While Taiwan is interested to see how friendly governments come to Ukraine’s aid, China is observing how Russia may go about reclaiming territory of the former Soviet Union, in the attempts of gaining insight into how such an act can be accomplished successfully, should Moscow do just that.

A Warning for the U.S. Chip Industry: Russian Retaliation Could Hit Supply of Key Materials: Russia may retaliate against the U.S. threat of trade sanctions and export curbs by blocking access to key materials like neon and palladium. Ukraine supplies over 90% of U.S. semiconductor-grade neon. This type of supply chain-based retaliation has become a priority concern for the White House, which is encouraging a broad diversification of the supply chain in the event Russia limits access to these key materials.

Russia’s Long Game, Leadership Lessons, and Learning from Failure: In February of 2021, Matt Devost spoke to Rob Richer, a highly regarded advisor to international executives and global government leaders including several heads of state. Rob has a well-informed perspective on international risks and opportunities and an ability to analyze and distill observations in a way that is meaningful for your decision-making process. In light of the conditions in Europe, this portion of their initial OODAcast conversation is timely and includes a discussion of Richer’s time as the head of CIA Russian Operations, his perspective on U.S./Russian relations (especially the role of cyber), leadership, the role of failure, and decision-making.

Charity Wright on China’s Digital Colonialism: Charity Wright is a Cyber Threat Intelligence Analyst with over 15 years of experience at the US Army and the National Security Agency, where she translated Mandarin Chinese. Charity now specializes in dark web cyber threat intelligence, counter-disinformation, and strategic intelligence at Recorded Future. Her analysis has provided deep insights into a variety of incidents, activities, and strategic moves by well-resourced adversaries, primarily actors operating in China.

The January 2022 OODA Network Member Meeting: Putin, Russia, Gray Zone Conflict Capabilities and The Future of Europe: To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks:In what felt like coordinated attacks last Friday, data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. The attacks prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses.

Additional Context on OODA Reporting on Russia’s Military-Technical Maneuvers in Europe: We are conscious of our need to keep our usual variety of News Brief and OODA Analysis, but for obvious reasons, this week is top-heavy with Russian, NATO, and Ukrainian coverage. We intend on keeping our focus on providing the context you need vice the blow-by-blow of major moves. Like in other domains we endeavor to provide the “So What?” and “What’s Next?” you need to help drive your decisions.

OODA Research Report- The Russian Threat: This special report captures insights into the capabilities and intent of the Russian Threat, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community