CyberWire Daily - Lessons from the Viasat cybersecurity attack. [T-Minus]
Episode Date: December 24, 2024Please enjoy this encore of T-Minus Space Daily. A few hours prior to the Russian invasion of Ukraine on February 24, 2022, Russia’s military intelligence launched a cyberattack against ViaSat’s K...A-SAT satellite network, which was used by the Ukrainian Armed Forces. It prevented them from using satellite communications to respond to the invasion. After the ViaSat hack, numerous cyber operations were conducted against the space sector from both sides of the conflict. What have we learnt from the Viasat attack? Clémence Poirier has written a report on the Viasat cybersecurity attack during the war in Ukraine. Hacking the Cosmos: Cyber operations against the space sector. You can connect with Clémence Poirier on LinkedIn, and read her report on this website. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence roundup, Signals and Space, and you’ll never miss a beat. And be sure to follow T-Minus on LinkedIn and Instagram. T-Minus Crew Survey We want to hear from you! Please complete our 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at space@n2k.com to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout. That's JoinDeleteMe.com slash N2K, code N2K.
A few hours prior to the Russian invasion of Ukraine on February 24th, 2022,
Russia's military intelligence launched a cyber attack against Viasat's KASAT satellite network, which was used by the Ukrainian armed forces.
It prevented them from using satellite communications to respond to the invasion.
After the Viasat attack, numerous cyber operations were conducted against the space sector from
both sides of the conflict.
What have we learned since the Viasat attack? Welcome to T-Mina's Deep Space from N2K Networks. I'm Maria Varmasas.
Clémence Poirier is a senior cyber defense researcher at the Center for Security Studies at ETH Zurich.
She's written a report on the Viasat cybersecurity attack during the war in Ukraine called Hacking the Cosmos, Cyber Operations Against the Space Sector.
I'm Clemence Poirier. I'm currently a senior cyber defense researcher at the Center for Security Studies at ETH Zurich in Switzerland.
And I'm mainly doing research about cybersecurity in outer space. And prior to that, I was a
research fellow seconded by CNES, the French space agency at the European Space Policy Institute in
Vienna, Austria. And my background is more in international relations.
Fantastic. Well, thank you so much for joining me today. And congratulations on this study that you
have just released out into the world. A really fascinating look at cybersecurity in space, but
very much more specifically, I don't want to give it away. I'd rather you describe it than me, but
tell me a bit about the study that you did.
Let's talk about that.
Yeah, sure.
So basically, I think we can go back to 2022 because when the war in Ukraine started, of course, the invasion actually started with a cyber attack against the satellite, which is the now infamous
FIAS attack. And prior to this, there was very little interest from the space sector for
cybersecurity issues. And it was a bit overlooked, whether it's from engineers or the industry or
public policies. So nobody really paid so much attention to that.
And the threat was a bit overlooked as well.
But when the Vyas attack happened,
it was a bit of something like the parallel war
for the space industry in some ways.
It was really a wake-up call.
So I decided back then to analyze this attack and analyze what happened,
but also what that meant for Ukrainian armed forces and their ability to respond to the
invasion, but also all the ripple effect that this attack created across Europe and what it also meant for the European space sector. And after this first
attack, I asked myself, okay, how many other attacks affected space systems in this conflict?
Because everyone saw how Starlink is used to conduct military operations there,
but also used by the civilian population,
and how it's a central aspect of accessing connectivity there,
but also how satellite images are used,
how navigation, so GPS, are used in the conflict.
So I ask myself, naturally, there would be probably a lot of operation against space systems.
So I decided to look into that. hundreds of telegram channels twitter account uh hacker forums and a bit weird websites
to be honest and uh try to see and map groups that took sides in the conflict because that's a big
trend that happened in this war um hacktivist group, uh, popped up and, and took sides, um, uh, in the conflict.
And, um, I decided to check how they would talk about space, how they would talk about
attacking the satellites or the space sectors or space companies.
And so I mapped hundreds of groups and I found 124 cyber operations that targeted the space sector in the context of the war.
So by groups that either took side in the conflict or claimed that the attack was related to the conflict directly.
And so that's the main finding of the report.
That's, okay, that's fascinating. There's so much there I want to dig into. So I think it's been really fascinating how much that Viasat attack really changed the conversation about space
cybersecurity. I think previously to that, there was a sense of,
I'm not a military asset. I don't need to worry about it. Or I'm in compliance with government
security standards, so I'm fine. Or nobody's targeting me. This is not an issue. The conversation
has completely changed since then, and especially with commercial players, as you mentioned with
Starlink, and obviously Viasat as well. you know, there is a whole level of complexity that is
there. I'm so fascinated that you not only looked at the attack itself, but also what came after in
those conversations, because that's been actually a huge question I've had in the last two plus years
is for adversaries, for threat actors, how has the conversation changed for them?
What are they saying?
Do they see space as a domain
where they feel that they can make an impact
for lack of poor terminology on my part?
But what did you see from those conversations
on all sides of the conflict?
Is this a domain where people feel comfortable?
And what kind of attacks are they trying to leverage?
Are they all similar?
Are there a lot of different tactics being deployed?
I'm sorry, I have so many questions.
I'm so fascinated here.
What I first noticed is that those hacker groups
on their Telegram channels,
hacker forums, Twitter accounts,
they really see space as a topic of fascination.
So they really use space as a way to gather their communities
and their members and create online engagement.
So they very often talk about space exploration or whatever is in the news in space.
They sometimes share fun facts, like the first time that coffee was brewed on the ISS or
this kind of things that you would not really expect on a hacktivist group communication channel.
They're nerds at heart.
Exactly.
And that's very funny because you don't see that about other sectors of the economy.
But they also see space as an ultimate challenge and something that would bring a lot of media
attention if they succeed. That is something that is perceived as more difficult to hack.
So you see some groups that talk almost in a childish way like, oh, should we, can we hack a satellite?
Should we hack a NASA satellite? And so they discuss about whether that's feasible or not.
And they really see this as the final frontier for their cyber operations.
That notoriety. Yeah.
Yes, that's definitely how it's perceived.
But at the same time, when you look at their operations against the space sector,
you also see that there are no groups that are specialized
or entirely dedicated at targeting the space sector.
So there's not one group that only targets the space sector.
All the cyber operations that I could find
were random almost among bigger campaigns
against specific countries.
So it's quite the opposite, in fact,
where they actually do not know so much about space.
A lot of them say,
oh, it was our first attack against satellite,
or it was very complex for us to understand
how the network was operating, or how a satellite functions,
or it was very hard to enter into the network. And so they really say, acknowledge that and that
difficulty. It also shows that maybe cybersecurity is a bit different in space than on Earth. And it's also interesting that Microsoft and OpenAI
also disclosed that Russian hacker groups, Fancy Bear,
also use ChatGPT to ask questions about how satellite communication functions
and how to target them.
So they didn't specify whether they could link it to an actual operation.
But that also says that there's still a knowledge gap for threat actors about how to enter into a space system.
So the space sector is not necessarily well protected, but because the nature of the system is a bit system, so the space sector is not necessarily well protected, but because
the nature of the system is a bit different, it also saves the sector a little bit.
We'll be right back.
We'll be right back. point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Yeah, so it means, sadly, it's just a matter of time and expertise gathering, which it will happen.
It's always an arms race with this kind of thing.
That is fascinating.
Security through obscurity is helping space right now.
It's amazing.
But again, that is just a matter of time, sadly.
I don't want to sound like a fear monger, but it's the reality.
What were the nature of the attacks, or at least attempted and successful? What did you see
targeting the space sector? So I was really surprised because, of course, the war in Ukraine
started with the Vyazatak, which was extremely complex and sophisticated, with several steps in the attack, a DDoS, then enter into a network
and wipe a malware, etc.
So it was really destructive.
And that was not the case of all the attacks that followed.
Most of the attacks were rather unsophisticated.
So the majority were distributed denial of service, mostly on websites of
space companies, space agencies, or authentication portals of space services.
But it's not because those were unsophisticated that they were not damaging in
some ways. So sometimes just targeting the authentication portal of Starlink was enough to
prevent users from using the service and accessing connectivity. So in the end,
In the end, they didn't really need to conduct a highly complex, sophisticated operation.
A smaller percentage of operations were intrusion into satellite networks.
And I could also find a lot of hack and leak operations or data breaches.
But then I couldn't find any other example of a wipe of malware.
Maybe it happened, but I just couldn't find any example with open source data.
That makes a lot of sense.
That's a fascinating array. I always feel a little
bad describing these things as fascinating because there are real damages and real lives,
especially because the conflict, the Russian-Ukrainian conflict, there are real lives
at stake here. So as the war continues and the landscape of what is sort of considered fair play
continues, and the landscape of what is sort of considered fair play continues to include space.
Given all your findings, given what you saw, I suppose I'm asking, what does this mean for folks in the space sector? What do providers need to know? What's your advice?
So that's the good question. It's like, what do we do about it now? So what we saw is that for a long time, the space sector overlooked the threat.
And even when cybersecurity companies would notice unpatchable vulnerabilities in a lot of user
modems or ground station and would raise the issue with the industry, they wouldn't really do much about it. They wouldn't really care or be aware of the potential damaging aspect of the threat.
So I think now with this conflict, the industry is much more aware of the risk and understands
better also what a cyber attack on a space system is.
And I think they also understood that even though they might be completely civilian
or fully commercial and are not whatsoever linked to a conflict
or providing services to belligerent, they can still be
attacked because most of the operation I could find were against civilian or commercial companies.
In fact, like 61% of the operations were against commercial entities.
So it is not surprising considering the involvement of companies in the conflict.
But it really shows that the space sector has to broaden its threat model
and that the threat model changes rather quickly.
and that the threat model changes rather quickly.
So whenever you have a new customer or that one of your old customers
then gets involved in an armed conflict,
you are going to be attacked.
It's not a matter of if, it's when.
And we saw that Starlink was attacked several times,
but also satellite images providers space agencies etc so um the space sector is a target and it doesn't
really matter whether by law or under international humanitarian law, you are really a legitimate target.
The threat actors, they consider them as such.
So you have to protect yourself.
And then what was also interesting in the study
is that I could not find any example
of a cyber attack targeting the satellite in orbit directly.
So all the cyber attack were targeting the user segment, the ground
segment, or what I call the user interface, so like the IT environment of the company or the agency.
And sometimes that was enough to create damage or to prevent a satellite system from functioning properly. So they didn't really know or need to target the satellite in orbit.
So I think it's also a realization for the space industry that
the systems on Earth are the ones that are going to be the most targeted
and that you should protect the most.
Then there are some challenges specific to space.
Because, for instance, traditional cybersecurity solutions do not work so well in space
or are not necessarily adapted to the conditions of the orbital environment
because the orbital environment
is naturally hostile. So you have radiations and solar flares and extreme temperatures and
the far distance from Earth. So sometimes it creates impact on the cybersecurity solutions
that you're going to implement. So I think there's a very good opportunities for in the market for the space
cybersecurity vertical, where space cybersecurity solution adapted for space systems can be
developed. There's an area of knowledge that still needs to be developed with new solutions that are truly adapted to those systems.
So this is something that we see emerging.
We see the emergence of startups that are specialized on space cybersecurity.
It didn't exist before.
So I think it's a good aspect for the industry, and it can also make the space economy bigger.
But then another challenge is that by law right now,
space operators, they do not have to implement cybersecurity.
So if you want to get a launch license to launch your satellite in orbit,
you don't need to prove you're cyber secure or that you implemented any kind of cyber security.
And most national space laws do not have any provision that integrates cyber security measures.
So right now it's slowly changing.
So right now it's slowly changing.
You have some new texts that are submitted for adoptions or new laws that were just recently adopted.
So in Europe, the NISTU directive in the EU
that now considers space as critical infrastructure
requires the space sector to implement stricter cybersecurity measures.
But this is a directive.
So that means that EU member states have to implement that law in their national law.
So this is something that is a long process that takes time.
And that also means that those strict cybersecurity requirements,
they're also very general.
They're not necessarily adapted to the space sector.
So the state and probably the industry
will have to work together on how to implement this
in the best way.
So that's definitely a challenge.
Yes, absolutely. Yeah, it's fascinating that you've identified that there's that knowledge gap,
both in terms of the defenders that the market can benefit from, as with the growing space cyber
market, which I'm always fascinated to watch as people are trying to fill
that gap because there aren't a lot of people who understand it very well, or at least well enough to
be prescriptive in helping companies harden their assets. But especially on the attacker side,
again, there's that knowledge gap. But inevitably, people will figure it out. And it's a matter of, I suppose, who gets there
first. Hopefully, the defenders, for everyone's sake. But it is fascinating to see people are
going to go after the easiest targets first. And ground systems and ground-based infrastructure is
still the easiest. So that's what they're going to go for. Fascinating insights, Clemence. I really appreciate that you went through and looked at years worth of information.
Because again, you've answered a question I have been having for some time is what happened after that attack?
What has the discussion been?
So I'm thrilled that you put this information together.
And the name of the report is the Cyber Defense Report.
I'll make sure that we link it in our show notes as well so our audience can read it directly, so they can read your insights directly. But I really
appreciate you coming on the show and sharing your insights with me and the audience as well.
Thank you so, so much for your time today. You're welcome. Thank you for having me.
Thank you. we deliver the information that keeps you a step ahead in the rapidly changing space industry. T-Minds Deep Space is produced by Alice Caruth. Our associate producer is Liz Stokes. We're mixed
by Elliot Peltzman and Trey Hester, with original music by Elliot Peltzman. Our executive producer
is Jennifer Iben. Our executive editor is Brandon Karp. Simone Pacheco is our president. Peter
Kilpie is our publisher. And I'm your host, Maria Varmosis. Thanks for listening. Thank you.