Welcome back, my aspirational cyberwarriors!
Satellite hacking is the new frontier in cyber warfare!
Satellites are an essential infrastructure in any industrialized, digitally advanced nation. Not only do they carry radio, television, Internet and telephone calls, but they are an critical element each nations military infrastructure. An attacker who can interfere or degrade satellite signals will have a decided advantage in any cyberwar. Even ignoring the impact on military reconnaissance and communication, attacks against the civilian infrastructure can cause significant communication disruptions and an overwhelming psychological impact on the civilian population. As any general in any army will tell you, psychological warfare can be nearly as impactful as kinetic warfare.
DDoS
Throughout the short history of cyber warfare, DDoS attacks have been favorite initial strategy to create confusion, promote disinformation, and generate anxiety among the civilian population. The very first cyberwar was 2008 when Russia invaded its former Soviet state, Georgia. Before marching into South Ossetia, the Russians engineered a massive DDoS attack against the digital infrastructure of Georgia. The result was communication nation-wide was degraded and the Russians were able spread disinformation on their channels. The civilian population was distraught (can you imagine waking up one day without Internet, TV, or phone?) and the resistance fractured. The Russians marched in and still occupy South Ossetia to this day, 2024.
Russia used a similar strategy against Ukraine in February 2024 with one new wrinkle, they took down the ViaSat satellite infrastructure of Ukraine and nearby regions in other European countries.
This is likely the first entry into the history satellite cyberwarfare.
Let’s take a deep dive into what actually happened.
Four years earlier, Fortinet the US based cybersecurity company with sells next-generation firewalls and VPN’s among other things, a cybersecurity researcher discovered a vulnerability in the Fortinet VPN product that leaked the passwords where an HTTP request could make a directory traversal to a directory that stored the usernames and passwords. In essence, an attacker could make a HTTP request and receive the passwords if they knew where to look. This vulnerability was designated CVE-2018-13379. Note that this was nearly a 4 year old, known vulnerability at the time of the attack.
The vulnerability was described as:
Description
An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
It was rated a 9.8 or critical. In plain language, this vulnerability allows the attack to navigate from the default to another directory that includes the username and password.
The Russians, likely the GRU in St. Petersburg, were able to use this vulnerability to gain access to a ViaSat management console in Turin, Italy.
If the folks in Turin had been doing their cyber threat intelligence vigilantly, they would have noticed this alert on X (Twitter) the day before.
Note the date. It was literally the day before Russia attacked and the IP address is from St. Petersburg, Russia.
Once the intruders gained access to the ViaSat management console, the proceeded to upload malware to the user’s network consoles via the satellite. This is the functionality that would normally be used to upgrade or update the firmware on the user network. This malware then proceeded to wipe parts of memory from the firmware rendering the terminals useless in receiving the satellite communications.
Collateral Damage Across Europe
The cyberattack didn’t just affect Ukraine. Satellite services across Europe were disrupted, including outages for tens of thousands of internet users, and some essential infrastructure, such as wind farms in Germany, were knocked offline because they relied on ViaSat’s satellite communications.
Attribution to Russian State Hackers
Cybersecurity agencies, including the EU, UK, and US, attributed the attack to Russian military intelligence, specifically GRU hackers. The attackers likely intended to degrade Ukraine’s command and control infrastructure during the critical early phase of the invasion.
Summary
We are on the doorstep of a new era in cyber warfare where satellites and their networks will become prime targets. As their satellites and their networks are essential services in our modern digital economy, attacks against these systems can be devastating.
This incident highlights the role of cyber warfare in modern conflicts and the vulnerabilities of satellite-based communications that we all should cognizant of.
For more on Satellite Hacking, see our Satellite Hacking class, part of Subscriber Pro package.