On March 17th, CISA and the FBI issued a Joint Cybersecurity Advisory for the SATCOM ecosystem, following the cyberattack on the Viasat Satellite system. That same week, OODA Loop contributor Emilio Iasiello provided an analysis of satellite security in the context of overall cybersecurity:
“The cyber threat to satellites has been a longstanding concern and one that has, unfortunately, been mixed in with the myriad other cybersecurity issues facing the global community. As a result, it’s not surprising that satellite security has gotten lost in the shuffle, particularly given the need to prioritize and safeguard 16 critical infrastructure sectors.
But the recent Viasat attack shows the potential of what can happen when cyberspace and orbital space are intermingled, and while the Internet disruption will likely have a limited impact, it reveals how cyber attacks can be executed against these space assets to impact real-world operations. Satellites support several sectors and industries and contribute substantially to the global economy. Communications, Finance, Logistics, and Defense all rely on satellites to support their operations. Because of its increasing importance to sustain industries, the space sector as a whole is expected to be larger than oil in the next decade with an estimated worth of USD 3 trillion by 2050. Reliance on satellite functionality will only increase in the coming years.”
State Department Confirms Russian Attribution in Secretary Blinken-led Press Conference
At the time of our initial coverage and Emilio’s analysis, the attack was not officially attributed. As of May 10th, Secretary of State Anthony Blinken made the U.S. government’s official attribution known to the general public:
“Today, in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries. The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens.”
🌎🤝We join our global allies & partners in support of a secure cyberspace. Today’s series of announcements reinforces the need to keep our 🛡Shields-Up: https://t.co/noCFT0QNm8! https://t.co/6soMwuigC9
— Jen Easterly🛡️ (@CISAJen) May 10, 2022
Reuters covered the multiple statements made by E.U. government officials on the same day:
Russia was behind a massive cyberattack against a satellite internet network that took tens of thousands of modems offline at the onset of the Russia-Ukraine war, the United States, Britain, Canada, Estonia, and the European Union said on Tuesday. The digital assault against Viasat’s KA-SAT network in late February took place just as Russian armour pushed into Ukraine.
British Foreign Secretary Liz Truss called the satellite internet hack “deliberate and malicious” and the Council of the EU said it caused “indiscriminate communication outages” in Ukraine and several EU member states. The Viasat outage remains the most publicly visible cyberattack carried out since Russia’s invasion of Ukraine, in part because the hack had immediate knock-on consequences for satellite internet users across Europe and because the crippled modems often had to be replaced manually.
https://twitter.com/RidT/status/1524054379749421057
The precise consequences of the hack on the Ukrainian battlefield have not been made public, but government contracts reviewed by Reuters show that KA-SAT has provided internet connectivity to the Ukrainian military and police units. The satellite modem sabotage caused a “huge loss in communications in the very beginning of the war”, Ukrainian cybersecurity official Victor Zhora said in March.
“After those modems were knocked offline it wasn’t like you unplug them and plug them back in and reboot and they come back,” the U.S. National Security Agency’s Director of Cybersecurity Rob Joyce told Reuters on the sidelines of a cybersecurity conference on Tuesday. “That was the biggest single event,” said Joyce. “It certainly had new and novel tradecraft, but there have been multiple attacks.”
The satellite modem-wrecking cyberattack remains the most visible hack of the war, but many others have taken place since and not all of them have been made public. (1)
In March, Viasat released an analysis of the incident: KA-SAT Network cyber attack overview | Viasat.
What Next?
- Pressure on Russia builds: “The public attribution sets the stage for additional pressure on Russia in cyberspace, including through sanctions, experts say.
- The statements also could be big in the world of cyber diplomacy. Tying public attribution statements to norms violations are a ‘really good development.'” (2)
EU attributes cyberoperations targeting the KA-SAT network iterated by US company Viasat to Russia.
The attribution statement ticks many cyber diplomacy boxes:
✅️ reference to cyber norms
✅️ specify which norm was violated (prohibition of targeting/1https://t.co/tHFUzHMPrz— Alexandra Paulus (@ale_paulus) May 10, 2022
- The U.S. Government has developed new mechanisms to help Ukraine identify cyber threats and recover from cyber incidents. As nations committed to upholding the rules-based international order in cyberspace, the United States and its allies and partners are taking steps to defend against Russia’s irresponsible actions.
- We have also enhanced our support for Ukraine’s digital connectivity: Including by providing satellite phones and data terminals to Ukrainian government officials, essential service providers, and critical infrastructure operators.
- More information on the U.S. government’s efforts to support cybersecurity and connectivity in Ukraine is available here.
US-CERT Alert (AA22-076A): Strengthening Cybersecurity of SATCOM Network Providers and Customers
US-CERT AA22-076A was originally released on March 17th but was last revised on May 10th due the official attribution. Overall, the attribution further validates the need for U.S. organizations to prepare for potential Russian cyberattacks. Click here for a PDF version of this report.
Mitigations
CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:
Mitigations for SATCOM Network Providers
- Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
- The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
- Network traffic from SATCOM networks to other unexpected network segments.
- Unauthorized use of local or backup accounts within SATCOM networks.
- Unexpected SATCOM terminal to SATCOM terminal traffic.
- Network traffic from the internet to closed group SATCOM networks.
- Brute force login attempts over SATCOM network segments.
- See the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment of the U.S. Intelligence Community, February 2022 for specific state-sponsored cyber threat activity relating to SATCOM networks.
Mitigations for SATCOM Network Providers and Customers
- Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks.
- Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines.
- Do not use default credentials or weak passwords.
- Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
- Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
- Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
- Remove unnecessary trust relationships.
- Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged:
- Security controls the customer deems appropriate.
- Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
- Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
- Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
- Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications for guidance.
- Strengthen the security of operating systems, software, and firmware.
- Ensure robust vulnerability management and patching practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA’s living catalog of known exploited vulnerabilities. These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities.
- Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
- Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
- Integrate SATCOM traffic into existing network security monitoring tools.
- Review logs of systems behind SATCOM terminals for suspicious activity.
- Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool.
- Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
- Expand and enhance monitoring of network segments and assets that use SATCOM.
- Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity.
- Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
- Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.
Contact Information
All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].
Resources
- National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications
- NSA Cybersecurity Technical Report: Network Infrastructure Security Guidance
- Office of the Director of National Intelligence (ODNI): Annual Threat Assessment of the U.S. Intelligence Community, February 2022
- CISA Tip: Choosing and Protecting Passwords
- CISA Capacity Enhancement Guide: Implementing Strong Authentication
Related Reading:
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Explore OODA Research and Analysis
Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop
Decision Intelligence
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
Disruptive/Exponential Technology
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech
Security and Resiliency
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
Community
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community