Authorities have issued a SATCOM cybersecurity alert as they investigate a possible Russian attack
The FBI and the US Cybersecurity and Infrastructure Security Agency issued a new alert on Thursday to warn satellite communication (SATCOM) networks about potential cyber threats. The warning comes as Western intelligence agencies begin an inquiry into possible Russian-sponsored attacks on satellite internet providers.
The FBI and CISA have issued a set of suggestions to help SATCOM network providers and customers improve their cybersecurity.
Additional network monitoring capabilities for aberrant traffic related to SATCOM equipment have been recommended to network providers. They should also examine a recent threat assessment report from the Office of the Director of National Intelligence, which highlights Russia’s threat to satellites as well as its capabilities.
The agencies have advised SATCOM network providers and customers to use secure authentication methods, follow the principle of least privilege, review existing trust relationships with IT service providers, use independent encryption, strengthen software and firmware security, monitor their networks for suspicious activity, and have an incident response and resilience plans in place.
“To boost SATCOM network cybersecurity, the CISA and FBI strongly encourage critical infrastructure organisations and other organisations that are either SATCOM network providers or customers to study and execute the mitigations provided in this CSA,” the authorities stated.
The warning comes just days after Reuters reported that the National Security Agency (NSA) and other intelligence agencies are investigating whether Russian state-sponsored hackers are responsible for a recent cyberattack on a satellite internet provider.
On February 24, the cyberattack on the satellite service began, just as Russia began its invasion of Ukraine. Modems communicating with the Viasat KA-SAT satellite, which offers internet to consumers in Ukraine and other European nations, were deactivated as a result of the attack.
As a result of the incident, tens of thousands of consumers throughout Europe were left without internet access.
According to Viasat authorities, the attackers used a misconfiguration in the satellite network’s administration section to get remote access to modems. The modems became unusable, and the service provider advised that the affected devices be reconfigured.
According to one scenario, Russia may have wanted to disrupt satellite internet in order to aid ground troops by limiting Ukraine’s military capabilities.
Ruben Santamarta, a cybersecurity specialist who has spent years studying satellite communications systems, recently published a blog post speculating on possible technical explanations for how the attack was carried out.
“The attackers most likely able to compromise/spoof a Ground Station, specifically the ‘Element Management’ section (which is likely sync’d across gateways), to execute a command by misusing a valid control protocol (possibly TR-069) that installed malicious software on the terminals.” This may have been done, for example, using well-known VLAN assaults,” Santamarta noted.
While the last attack targeted Europe, a US source stated last year that China and Russia launch “every single day” attacks on government satellites.
