Lessons from the Viasat cybersecurity attack. [T-Minus]

Maria Varmazis

You're listening to the CyberWire network powered by N2K. Happy holidays from all of us here at N2K Networks. We're taking some time off to spend with our families and we'll be sharing some of our radio programs and repeat episodes during this time for you to enjoy. We will resume our daily briefing on January 2nd. Happy New Year.

Unknown Sponsor Voice

Identity architects and engineers. Simplify your identity management with Strata, securely integrate non standard apps with any idp, apply modern MFA and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress free identity management and join industry leaders in transforming their identity architecture with Strata. Visit Strata IO Cyberwire, share your identity Challenge and get a free set of AirPods Pro. Revolutionize your identity infrastructure. Now visit Strata IO CyberWire and our thanks to Strata for being a longtime friend and supporter of this podcast.

Clemence Poirier

Foreign.

Maria Varmazis

A few hours prior to the Russian invasion of Ukraine on February 24, 2022, Russia's military intelligence launched a cyber attack against Viasat's Kasat satellite network, which was used by the Ukrainian armed forces. It prevented them from using satellite communications to respond to the invasion. After the viasat attack, numerous cyber operations were conducted against the space sector from both side the conflict. What have we Learned since the Viasat attack? Welcome to T minus deep space from N2K Networks, Maria I'm Maria Varmazis. Clemence Poirier is a senior cyber defense researcher at the center for security studies at ETH Zurich. She's written a report on the ViaSat cybersecurity attack during the war in Ukraine called Hacking the Cyber Operations against the Space Sector.

Clemence Poirier

I'm Flemce Poirier. I'm currently a senior cyber defense researcher at the center for Security Studies at ETH Zurich in Switzerland, and I'm mainly doing research about cybersecurity in outer space. And prior to that I was a research fellow seconded by CNest, a French space agency, at the European Space Policy Institute in Vienna, Austria, and my background is more in international relations.

Maria Varmazis

Fantastic. Well, thank you so much for joining me today and congratulations on this study that you have just released out into the world. A really fascinating look at cybersecurity in space, but very much more specifically. I don't want to give it away, I'd rather you describe it than me. But tell me a bit about this study that you did. Let's talk about that.

Clemence Poirier

Yes, sure. So basically I think we can go back to 2022, because when the war in Ukraine started, of course, the invasion actually started with a cyber attack against the satellite, which is the now infamous Fias attack. And prior to this, there was very little interest from the space sector for cybersecurity issues. And it was a bit overlooked, whether it's from engineers or the industry or public policies. So nobody really paid so much attention to that. And the threat was a bit overlooked as well. But when the vast attack happened, it was a bit of something like the parallel war for the space industry. In some ways, it was really a wake up call. So I decided back then to analyze this attack and analyze what happened, but also what that meant for Ukrainian armed forces and their ability to respond to the invasion, but also all the ripple effect that this attack created across Europe and what it also meant for the European space sector. And after this first attack, I asked myself, okay, how many other attacks affected space systems in this conflict? Because everyone saw how Starlink is used to conduct military operations there, but also used by the civilian population, and how it's a central aspect of accessing connectivity there, but also how satellite images are used, how navigation, so GPS are used in the conflict. So I asked myself, naturally there would be probably a lot of operation against space systems, so I decided to look into that. And so I crawled through hundreds and hundreds of telegram channels, Twitter account, hacker forums, and a bit weird websites, to be honest, and try to see and map groups that took sides in the conflict, because that's a big trend that happened in this war. Hacktivist group popped up and took sides in the conflict. And I decided to check how they would talk about space, how they would talk about attacking the satellites or the space sectors or space companies. And so I mapped hundreds of groups and I found 124 cyber operations that targeted the space sector in the context of the war. So by groups that either took side in the conflict or claimed that the attack was related to the conflict directly. And so that's the main finding of the report.

Maria Varmazis

Okay, that's fascinating. There's so much there I want to dig into. So I think it's been really fascinating how much that viasat attack really changed the conversation about space cybersecurity. I think previously to that there was a sense of, I'm not a military asset, I don't need to worry about it, or I'm in compliance with government security standards, so I'm fine, or nobody's targeting me, this is not an issue. All the conversation has completely changed since then. And especially with commercial players, as you mentioned with StarLink and obviously Viasat as well, you know, there is a whole level of complexity that is there. I am so fascinated that you not only looked at the attack itself, but also what came after in those conversations, because that's been actually a huge question I've had in the last two plus years. Is for adversaries, for threat actors, how has the conversation changed for them? What are they saying? Do they still see, do they see space as a domain where they feel that they can, you know, make an impact, for lack of better term and poor terminology on my part? But what did you see from those conversations on, you know, on all sides of the conflict? Is this, Is this a domain where people feel comfortable and what kind of attacks are they, Are they trying to leverage? Are they all similar? Are there a lot of different tactics being deployed? I'm sorry, I have so many questions. I'm so fascinated here.

Clemence Poirier

What I first noticed is that those hacker groups on their telegram channels, hacker forums, Twitter accounts, they really see space as a topic of fascination. So they really use space as a way to gather their communities and their members and create online engagement. So they very often talk about space exploration or whatever is in the news in space. They sometimes share fun facts like the first time that coffee was brewed on the iss, or this kind of things that you would not really expect on a hacktivist group communication channel.

Maria Varmazis

They're nerds at Harden.

Clemence Poirier

Exactly. And that's very funny because you don't see that about other sectors of the economy. But they also see space as an ultimate challenge and something that would bring a lot of media attention if they succeed. That is something that is perceived as more difficult to hack. So you see some groups that talk almost in a childish way, like, oh, should we, can we hack a satellite? Should we hack a NASA satellite? And so they discuss about whether that's feasible or not. And they really see this as the final frontier for their cyber operations.

Maria Varmazis

Notoriety. Yeah.

Clemence Poirier

Yes, that's definitely how it's perceived. But at the same time, when you look at their operations against the space sector, you also see that there are no groups that are specialized or entirely dedicated at targeting the space sector. So there's nothing. One group that only targets the space sector. All the cyber operations that I could find were random almost among bigger campaigns against specific countries. So it's quite the opposite, in fact, where they actually do not know so much about space. A lot of them say, oh, it was our first attack against satellite, or it was very complex for us to understand how the network was operating or how a satellite functions or it was very hard to enter into the network. And so they really say acknowledge that and that difficulty. It also shows that maybe cybersecurity is a bit different in space than on earth. And it's also interesting that Microsoft and OpenAI also disclosed that Russian hacker groups Fancy Bear also used ChatGPT to ask questions about how satellite communication functions and how to target them. So they didn't specify whether they could link it to an actual operation. But that also says that there's still a knowledge gap for threat actors about how to enter into space systems. So the space sector is not necessarily well protected, but because the nature of the system is a bit different, it also saves the sector a little bit.

Maria Varmazis

Foreign. We'll be right back.

Unknown Sponsor Voice

And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefor.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Maria Varmazis

This episode is brought to you by Dutch Bros. Get stoked for all the.

Clemence Poirier

Holly jolly vibes this season at Dutch Bros. Stay cozy with returning winter faves Hazelnut truffle mocha and candy cane mocha.

Maria Varmazis

Plus the new Winter Shimmer Rebel energy drink blends up sweet cream and blue razz flavor with soft top and shimmer sprinks to keep those spirits energized all winter long. Download the Dutch Bros app to find your nearest shop, order ahead and start earning rewards. Yeah, so it means sadly it's just a matter of time and expertise gather which it will happen. It's always an arms race with this kind of thing. That is fascinating. Security through obscurity is helping space right now. It's amazing. But again, that is just a matter of time, sadly. I don't want to sound like a fear monger, but it's the reality. What were the nature of the attacks, or at least attempted and successful? What did you see targeting the space sector?

Clemence Poirier

So I was really surprised because of course the war in Ukraine started with the VAS attack, which was extremely complex and sophisticated, was several steps in the attack. DDoS then enter into a network and wipe a malware, et cetera. So it was really destructive. And that was not the case of all the attack that followed. Most of the attacks were rather unsophisticated, so the majority were distributed denial of service, mostly on websites of space companies, space agencies or authentication portals of space services. But it's not because those were unsophisticated that they were not damaging in some ways. So sometimes just targeting the authentication portal of Starlink was enough to prevent users from using the service and accessing connectivity. So in the end they didn't really need to have to conduct highly complex sophisticated operation. A smaller percentage of operations were intrusion into satellite networks. And I could also find a lot of hack and leak operations or data breaches. But then I couldn't find any other example of wiper malware. Maybe it happened, but I just couldn't find any example with open source data.

Maria Varmazis

That makes a lot of sense. That's really a fascinating array. I always feel a little bad describing these things as fascinating because there are real damages and, you know, real lives. Especially because the conflict, the Russian, Ukrainian conflict. There are real lives at stake here. So as the war continues and the landscape of what is sort of considered fair play continues to include space, Given all your findings, given what you saw, I suppose I'm asking what does this mean for folks in the space sector? What do providers need to know? What's your advice?

Clemence Poirier

So that's the good question, is like, what do we do about it now? So what we saw is that for a long time the space sector overlooked the threat. And even when cybersecurity companies would notice unpatchable vulnerabilities in a lot of user modems or ground station and would raised the issue with the industry, they wouldn't really do much about it. They wouldn't really care or be aware of the potential damaging aspect of the threat. So I think now with this conflict, the industry is much more aware of the risk and understands better also what a cyber attack on a space System is. And I think they also understood that even though they might be completely civilian or fully commercial and are not whatsoever linked to a conflict or providing services to belligerent, they can still be attacked. Because most of the operation I could find were against civilian or commercial companies. In fact, like 61% of the operations were against commercial entities. So it is not surprising considering the involvement of companies in the conflict. But it really shows that the space sector has to broaden its threat model and that the threat model changes rather quickly. So whenever you have a new customer or that one of your old customers then gets involved in an armed conflict, you are going to be attacked. It's not a matter of if, it's when. And we saw that Starlink was attacked several times, but also satellite images providers, space agencies, et cetera. So the space sector is a target. And it doesn't really matter whether by law or under international humanitarian law, you are really a legitimate target. The threat actors, they consider them as such. So you have to protect yourself then. What was also interesting in the study is that I could not find any example of a cyber attack targeting the satellite in orbit directly. So all the cyber attack were targeting the user segment, the ground segment, or what I called the user interface. So like the IT environment of the company or the agency. And sometimes that was enough to create damage or to prevent a satellite system from functioning properly. So they didn't really know or need to target the satellite in orbit. So I think it's also a realization for the space industry that the systems on Earth are the ones that are going to be the most targeted and that you should protect the most. Then there are some challenges specific to space because for instance, traditional cybersecurity solutions do not work so well in space or are not necessarily adapted to the conditions of the orbital environment. Because the orbital environment is naturally hostile. So you have radiations and solar flares and extreme temperatures and the far distance from Earth. So sometimes it creates impact on the cybersecurity solutions that you're going to implement. So I think there's a very good opportunities in the market for the space cybersecurity vertical where space cybersecurity solution adapted for space systems can be developed. There's an area of knowledge that still needs to be developed with new solutions that are truly adapted to those systems. So this is something that we see emerging. We see the emergence of startups that are specialized on space cybersecurity. It didn't exist before, so I think it's a good aspect for the industry and it can also make the space economy bigger. But then another challenge is that by law, right now, space operators, they do not have to implement cybersecurity. So if you want to get a launch license to launch your satellite in orbit, you don't need to prove you're cybersecurity or that you implemented any kind of cybersecurity. And most national space laws do not have any provision that integrates cybersecurity measures. So right now it's slowly changing. You have some new techs that are submitted for adoptions or new laws that were just recently adopted. So in Europe, the Nistu Directive in the EU that now considers space as critical infrastructure, requires the space sector to implement stricter cybersecurity measures. But this is a directive, so that means that EU member states have to implement that law in their national law. So this is something that is a long process that takes time and that also means that those strict cybersecurity requirements, they're also very general, they're not necessarily adapted to the space sector. The state and probably the industry will have to work together on how to implement this in the best way. So that's definitely a challenge.

Maria Varmazis

Yes, absolutely. Yeah. It's fascinating that you've identified that there's that knowledge gap, both in terms of the defenders that the market can benefit from, as with the growing space cyber market, which I'm always fascinated to watch as people are trying to fill that gap, because there aren't a lot of people who understand it very well, or at least well enough to be prescriptive in helping companies harden their assets. But especially on the attacker side, again, there's that knowledge gap, but inevitably people will figure it out and it's a matter of, I suppose, who gets there first. Hopefully the defenders, but for everyone's sake. But it is fascinating to see, you know, people are going to go after the easiest targets first and ground systems and ground based infrastructure is still the easiest. So that's what they're going to go for. The fascinating insights. Clemence, I really appreciate that you went through and looked at years worth of information because again, you've answered a question I have been having for some time is what happened after that attack? What, what has the discussion been? So I'm thrilled that you put this information together and the name of the report is the Cyber Defense Report. I'll make sure that we link it in our show notes as well so our audience can read it directly. So they can read your insights directly. But I really appreciate you coming on the show and sharing your insights with me and the audience as well. Thank you so, so much for your time today.

Clemence Poirier

You're welcome. Thank you for having.

Maria Varmazis

That'S it for T Minus Deep Space, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us@space2k.com or submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing space industry. T Minus Deep Space is produced by Alice Carouse. Our associate producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliott Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karpf. Simone Petrella is our president, Peter Kielpe is our publisher, and I'm your host, Maria Varmazes. Thanks for listening. SA.