Lessons from the Viasat cybersecurity attack. - T-Minus: Space-Cyber Briefing

Summary5 min read

T-Minus Space Daily: Lessons from the Viasat Cybersecurity Attack

Episode Overview: In the November 30, 2024 episode of T-Minus Space Daily, hosted by Maria Varmazas from N2K Networks, the discussion centers on the significant cybersecurity breach against Viasat’s Kasat satellite network. The episode features Clemence Poirier, a senior cyber defense researcher at the Center for Security Studies at ETH Zurich, who delves into the ramifications of the attack and its broader impact on the space sector.

1. Introduction to the Viasat Cybersecurity Attack

The episode begins with Maria Varmazas outlining the context of the Viasat attack. On February 24, 2022, just hours before Russia's invasion of Ukraine, Russia's military intelligence launched a cyberattack targeting Viasat’s Kasat satellite network. This breach disrupted satellite communications for the Ukrainian armed forces, severely hindering their ability to respond to the invasion.

2. Clemence Poirier’s Background and Study

Timestamp [02:53]

Clemence Poirier introduces herself, highlighting her role as a senior cyber defense researcher at ETH Zurich and her focus on cybersecurity in outer space. Her prior experience includes a research fellowship with the French space agency, CNES, at the European Space Policy Institute in Vienna. Poirier has authored a comprehensive report titled "Hacking the Cyber Operations against the Space Sector," examining the Viasat attack and its aftermath.

3. Evolution of Cybersecurity Awareness in the Space Sector

Timestamp [03:43]

Poirier explains that before the Viasat attack, cybersecurity was largely neglected within the space sector. This oversight extended across engineers, industry stakeholders, and public policy frameworks. The Viasat incident served as a "wake-up call," prompting increased scrutiny and awareness regarding cybersecurity vulnerabilities in space systems.

Clemence Poirier [03:43]: "Prior to the Viasat attack, there was very little interest from the space sector for cybersecurity issues. It was somewhat overlooked by engineers, the industry, and public policies."

4. Mapping Cyber Operations Against the Space Sector

Timestamp [07:07]

Poirier conducted an extensive analysis of cyber operations targeting the space sector during the Ukraine conflict. By monitoring various online platforms, including Telegram channels, Twitter accounts, and hacker forums, she identified 124 cyber operations aimed at the space sector. These operations were primarily conducted by groups aligned with the conflict, often labeled as hacktivist groups.

Key Findings:

Diverse Attacks: The majority of attacks were distributed denial-of-service (DDoS) attacks targeting websites, space agencies, and authentication portals of space services like Starlink.
Lack of Specialization: No single group specialized exclusively in targeting the space sector. Instead, attacks were part of broader campaigns against specific countries.
Technical Challenges: Many attackers acknowledged the complexity of hacking satellite networks, indicating a significant knowledge gap in cyber operations targeting space systems.

Clemence Poirier [10:24]: "There are no groups that are specialized or entirely dedicated to targeting the space sector. All the cyber operations I could find were random, almost among bigger campaigns against specific countries."

5. Nature of the Attacks: Sophistication and Impact

Timestamp [14:34]

Poirier contrasts the initial sophisticated Viasat attack with subsequent less complex operations. While the Viasat breach involved multiple stages, including DDoS and malware deployment, later attacks were mostly unsophisticated DDoS assaults. Despite their simplicity, these attacks had tangible impacts, such as disrupting Starlink’s authentication portals, thereby denying users access to crucial connectivity services.

Additional Insights:

Intrusions and Data Breaches: A smaller fraction of attacks involved direct intrusions into satellite networks and data breaches, though evidence of wiper malware was scarce.
Attack Focus: Most cyberattacks targeted the ground systems and user interfaces rather than satellites in orbit, underscoring the vulnerability of terrestrial components in space systems.

Clemence Poirier [16:26]: "I could not find any example of a cyber attack targeting the satellite in orbit directly. All the cyber attacks were targeting the user segment, the ground segment, or what I call the user interface."

6. Implications for the Space Sector

Timestamp [17:01]

Poirier discusses the critical lessons for the space industry:

Broadened Threat Models: The space sector must expand its threat models to account for the evolving landscape of cyber threats, recognizing that both civilian and commercial entities are prime targets.
Focus on Ground Systems: Enhanced security measures should prioritize protecting ground-based infrastructure and user interfaces, which are more susceptible to attacks.
Adapted Cybersecurity Solutions: Traditional cybersecurity measures may be inadequate for space environments. There is a burgeoning need for space-specific cybersecurity solutions that consider unique challenges such as radiation, extreme temperatures, and long-distance operations.
Regulatory Developments: Current regulations do not mandate cybersecurity implementations for space operators. However, new directives like the EU’s NISTU are beginning to recognize space as critical infrastructure, necessitating stricter cybersecurity protocols.

Clemence Poirier [17:01]: "The space sector has to broaden its threat model and that the threat model changes rather quickly. Whenever you have a new customer or one of your old customers gets involved in an armed conflict, you are going to be attacked."

7. Future Outlook and Industry Recommendations

Poirier emphasizes the importance of proactive measures:

Industry Collaboration: There needs to be a concerted effort between state entities and industry players to develop and implement effective cybersecurity strategies tailored for space systems.
Emerging Market Opportunities: The rise of startups specializing in space cybersecurity presents opportunities for innovation and strengthening the sector’s defenses.
Regulatory Compliance: As new laws and directives are adopted, space operators must ensure compliance and integrate robust cybersecurity practices to safeguard their assets and services.

Clemence Poirier [17:01]: "There is an arrear of knowledge that still needs to be developed with new solutions that are truly adapted to the systems. This is something that we see emerging."

8. Conclusion

The episode concludes with Maria Varmazas highlighting the significance of Poirier’s findings, underscoring the urgent need for the space sector to enhance its cybersecurity framework. By addressing vulnerabilities in ground systems and embracing specialized cybersecurity solutions, the industry can better protect itself against evolving cyber threats.

Maria Varmazas [23:30]: "It's fascinating that you've identified that there's that knowledge gap, both in terms of the defenders that the market can benefit from with the growing space cyber market... But it is fascinating to see people are going to go after the easiest targets first and ground systems and ground-based infrastructure is still the easiest. So that's what they're going to go for."

Access the Full Report: For a comprehensive understanding of the cyber operations against the space sector, listeners are encouraged to read Clemence Poirier’s report, "Hacking the Cyber Operations against the Space Sector," available through N2K Networks.

About the Hosts and Production Team: T-Minus Space Daily is produced by Alice Carouse, with associate production by Liz Stokes. The mixing is handled by Elliot Peltzman and Trey Hester, featuring original music by Elliot Peltzman. The executive production team includes Jennifer Iban (Executive Producer), Brandon Karpf (Executive Editor), Simone Petrella (President), and Peter Kielpi (Publisher). Host Maria Varmazas guides listeners through the intricacies of the space industry’s evolving landscape.

For more insightful analyses and updates on the space industry, visit N2K Networks.

Loading summary

Transcript21 lines

[00:02]
Maria Varmazas
You're listening to the N2K space network.
[00:11]
Clemence Poirier
Imagine this. Your primary identity provider goes down. Whether it's a cloud outage, network issue or even a cyber attack, Suddenly your business grinds to a halt. But what if it didn't have to meet Identity Continuity from Strata, the game changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on prem system faces a hiccup, Identity Continuity seamlessly shifts authentication to a secondary or even tertiary IDP automatically and without disruption. Powered by the Mavericks Identity Orchestration platform, Identity Continuity uses smart health checks to monitor your IDPs availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers, just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages with Identity Continuity from Strada, downtime is a thing of the past. Visit Strata IO Cyberwire to learn how Strata's Identity Continuity can provide seamless enhanced capabilities to your existing existing identity fabric. And receive a free set of AirPods Pro.
[01:40]
Maria Varmazas
A few hours prior to the Russian invasion of Ukraine on February 24, 2022, Russia's military intelligence launched a cyberattack against Viasat's Kasat satellite network, which was used by the Ukrainian armed forces. It prevented them from using satellite communications to respond to the invasion. After the viasat attack, numerous cyber operations were conducted against the space sector from both sides of the conflict. What have we Learned since the Viasat attack? Welcome to T minus deep space from N2K Networks. I'm Maria Varmazas. Clemence Poirier is a senior cyber defense researcher at the center for security studies at ETH Zurich. She's written a report on the ViaSat cybersecurity attack during the war in Ukraine called Hacking the Cyber Operations against the Space Sector.
[02:54]
Clemence Poirier
I'm Clemence Poirier. I'm currently a senior cyber defense researcher at the center for Security Studies at ETH Zurich in Switzerland, and I'm mainly doing research about cybersecurity in outer space. And prior to that I was a research fellow seconded by cnes, the French space agency, at the European Space Policy Institute in Vienna, Austria, and my background is more in international relations.
[03:21]
Maria Varmazas
Fantastic. Well, thank you so much for joining me today and congratulations on this study that you have just released out into the world. A really fascinating look at cybersecurity in space, but very much more specifically, I don't want to give it away. I'd rather you describe it than me. But tell me a bit about this study that you did. Let's talk about that.
[03:44]
Clemence Poirier
Yes, sure. So basically, I think we can go back to 2022, because when the war in Ukraine started, of course, the invasion actually started with a cyber attack against the satellite, which is the now infamous biased hack. And prior to this, there was very little interest from the space sector for cybersecurity issues. And it was a bit overlooked, whether it's from engineers or the industry or public policies. So nobody really paid so much attention to that. And the threat was a bit overlooked as well. But when the VAS attack happened, it was a bit of something like the parallel war for the space industry. In some ways, it was really a wake up call. So I decided back then to analyze this attack and analyze what happened, but also what that meant for Ukrainian armed forces and their ability to respond to the invasion, but also all the ripple effect that this attack created across Europe and what it also meant for the European space sector. And after this first attack, I asked myself, okay, how many other attacks affected space systems in this conflict? Because everyone saw how Starlink is used to conduct military operations there, but also used by the civilian population, and how it's a central aspect of accessing connectivity there, but also how satellite images are used, how navigation, so GPS are used in the conflict. So I asked myself, naturally there would be probably a lot of operation against space systems, so I decided to look into that. And so I crawled through hundreds and hundreds of telegram channels, Twitter account, hacker forums, and a bit weird websites, to be honest, and try to see and map groups that took sides in the conflict, because that's a big trend that happened in this war. Hacktivist group popped up and took sides in the conflict. And I decided to check how they would talk about space, how they would talk about attacking the satellites or the space sectors or space companies. And so I mapped hundreds of groups and I found 124 cyber operations that targeted the space sector in the context of the war. So by groups that either took side in the conflict or claimed that the attack was related to the conflict directly. And so that's the main finding of the report.
[07:07]
Maria Varmazas
Okay, that's fascinating. There's so much there I want to dig into. So I think it's been really fascinating how much that viasat attack really changed the conversation about space cybersecurity. I think previously to that there was a sense of, I'm not a military asset, I don't need to worry about it, or I'm in compliance with government security standards, so I'm fine, or nobody's targeting me. This is not an issue. The conversation has completely changed since then, and especially with commercial players, as you mentioned, with StarLink and obviously Viasat as well, there is a whole level of complexity that is there. I am so fascinated that you not only looked at the attack itself, but also what came after in those conversations, because that's been actually a huge question I have had in the last two plus years. Is for adversaries, for threat actors, how has the conversation changed for them? What are they saying? Do they still see, do they see space as a domain where they feel that they can, you know, make an impact, for lack of better term, poor terminology on my part. But what did you see from those conversations, you know, on all sides of the conflict, is this, Is this a domain where people feel comfortable and what kind of attacks are they? Are they trying to leverage? Are they all similar? Are there a lot of different tactics being deployed? I'm sorry, I have so many questions. I'm so fascinated here.
[08:35]
Clemence Poirier
What I first noticed is that those hacker groups on their telegram channels, hacker forums, Twitter accounts, they really see space as a topic of fascination. So they really use space as a way to gather their communities and their members and create online engagement. So they very often talk about space exploration or whatever is in the news in space. They sometimes share fun facts, like the first time that coffee was brewed on the iss, or this kind of things that you would not really expect on a hacktivist group communication channel.
[09:24]
Maria Varmazas
They're nerds at Harden.
[09:27]
Clemence Poirier
Exactly. And that's very funny because you don't see that about other sectors of the economy, but they also see space as an ultimate challenge and something that would bring a lot of media attention if they succeed. That is something that is perceived as more difficult to hack. So you see some groups that talk almost in a childish way, like, oh, can we hack a satellite? Should we hack a NASA satellite? And so they discuss about whether that's feasible or not, and they really see this as the final frontier for their cyber operations.
[10:23]
Maria Varmazas
Notoriety. Yeah. Yep.
[10:25]
Clemence Poirier
Yes, that's. That's definitely how it's perceived. But at the same time, when you look at their operations against the space sector, you also see that there's. There are no groups that are specialized or entirely dedicated at targeting the space sector. So there's not one group that only targets the space sector. All the cyber operations that I could find were random almost among bigger campaigns against specific countries. So it's quite the opposite, in fact, where they actually do not know so much about space. A lot of them say, oh, it was our first attack against satellite, or it was very complex for us to understand how the network was operating or how a satellite functions, or it was very hard to enter into the network. And so they really say acknowledge that and that difficulty. It also shows that maybe cybersecurity is a bit different in space than on Earth. And it's also interesting that Microsoft and OpenAI also disclosed that Russian hacker groups Fancy Bear also used ChatGPT to ask questions about how satellite communication functions and how to target them. So they didn't specify whether they could link it to an actual operation. But that also says that there's still a knowledge gap for threat actors about how to enter into a space system. So the space sector is not necessarily well protected. But because the nature of the system is a bit different, it also saves the sector a little bit.
[12:37]
Maria Varmazas
We'll be right back.
[12:43]
Clemence Poirier
And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business.
[14:06]
Maria Varmazas
Yeah. So it means, sadly, it's just a matter of time and expertise gathering, which it will happen. It's always an arms race with this kind of thing. That is fascinating. Security through obscurity is helping space right now. It's amazing. But again, that is just a matter of time, sadly. I don't want to sound like a fear monger, but it's the reality. What were the nature of the attacks or at least attempted and successful? What did you see targeting the space sector?
[14:35]
Clemence Poirier
So I was really surprised because of course the war in Ukraine started with the VF attack, which was extremely complex and sophisticated with several steps in the attack. DDoS then enter into a network and wipe malware, et cetera. So it was really destructive. And that was not the case of all the attack that followed. Most of the attacks were rather unsophisticated. So the majority were distributed denial of service, mostly on websites of space companies, space agencies or authentication portals of space services. But it's not because those were unsophisticated that they were not damaging in some ways. So sometimes just targeting the authentication portal of Starlink was enough to prevent users from using the service and accessing connectivity. So in the end they didn't really need to have to conduct highly complex sophisticated operation. A smaller percentage of operations were intrusion into satellite networks. And I could also find a lot of hack and leak operations or data breaches. But then I couldn't find any other example of wiper malware. Maybe it happened, but I just couldn't find any example with open source data.
[16:26]
Maria Varmazas
That makes a lot of sense. That's really a fascinating array. I always feel a little bad describing these things as fascinating because there are real damages and real lives. Especially because the conflict, the Russian, Ukrainian conflict, there are real lives at stake here. So as the war continues and the landscape of what is sort of considered fair play continues to include space. Given all your findings, given what you saw, I suppose I'm asking what does this mean for folks in the space sector? What do providers need to know? What's your advice?
[17:02]
Clemence Poirier
So that's the good question. It's like what do we do about it now? So what we saw is that for a long time the space sector overlooked the threat. And even when cybersecurity companies would notice unpatchable narrabilities in a lot of user modems or ground station and would raise the issue with the industry, they wouldn't really do much about it. They wouldn't really care or be aware of the potential damaging aspect of the threat. So I think now with this conflict, the industries much more aware of the risk and understands better also what a cyber attack on a space system is. And I think they also understood that even though they might be completely civilian or fully commercial and are not whatsoever linked to a conflict or providing services to belligerent, they can still be attacked. Because most of the operation I could find were against civilian or commercial companies. In fact like 61% of the operations were against commercial entities. So, and it's not surprising considering the the involvement of companies in the conflict. But it really shows that the space sector has to broaden its threat model and that the threat model changes rather quickly. So whenever you have a new customer or that one of your old customers then gets involved in an armed conflict, you are going to be attacked. It's not a matter of if, it's when. And we saw that Starlink was attacked several times, but also satellite images providers, space agencies, etc. So the space sector is a target and it doesn't really matter whether by law or under international humanitarian law, you are really a legitimate target. The threat actors, they consider them as such. So you have to protect yourself. And then what was also interesting in the study is that I could not find any example of a cyber attack targeting the satellite in orbit directly. So all the cyber attack were targeting the user segment, the ground segment, or what I call the user interface. So like the IT environment of the company or the agency. And sometimes that was enough to create damage or to prevent a satellite system from functioning properly. So they didn't really know or need to target the satellite in orbit. So I think it's also a realization for the space industry that the systems on Earth are the ones that are going to be the most targeted and that you should protect the most. Then there are some challenges specific to space because for instance, traditional cybersecurity solutions do not work so well in space or are not necessarily adapted to the conditions of the orbital environment, because the orbital environment is naturally hostile. So you have radiations and solar flares and extreme temperatures and the far distance from Earth. So sometimes it creates impact on the cybersecurity solutions that you're going to implement. So I think there's a very good opportunities for, in the market for the space cybersecurity vertical where space cybersecurity solution adapted for space systems can be developed. There's an arrear of knowledge that still needs to be developed with new solutions that are truly adapted to the systems. So this is something that we see emerging. We see the emergence of startups that are specialized on space cybersecurity. It didn't exist before, so I think it's a good aspect for the industry and it can also make the space economy bigger. But then another challenge is that by law right now, space operators, they're not, they do not have to implement cybersecurity. So if you want to get a launch license to launch your satellite in orbit, you don't need to prove your cybersecurity or that you implemented any kind of cybersecurity. And most national space laws do not have any provision that integrates cybersecurity measures. So right now it's slowly changing. You have some new texts that are submitted for adoptions or new laws that were just recently adopted. So in Europe, the Nistu directive in the EU that now considers space as critical infrastructure requires the space sector to implement stricter cybersecurity measures. But this is a directive, so that means that EU member states have to implement that law in their national law. So this is something that is a long process that takes time and that also means that those strict cybersecurity requirements, they're also very general, they're not necessarily adapted to the space sector. So the state and probably the industry will have to work together on how to implement this in the best way. So that's definitely a challenge.
[23:31]
Maria Varmazas
Yes, absolutely. Yeah. It's fascinating that you've identified that there's that knowledge gap, both in terms of the defenders that the market can benefit from with the growing space cyber market, which I'm always fascinated to watch as people are trying to fill that gap because there aren't a lot of people who understand it very well, or at least well enough to be prescriptive in helping companies harden their assets, but especially on the attacker side. Again, there's that knowledge gap, but inevitably people will figure it out and it's a matter of, I suppose, who gets there first. Hopefully the defenders, but for everyone's sake. But it is fascinating to see people are going to go after the easiest targets first and ground systems and ground based infrastructure is still the easiest. So that's what they're going to go for. The fascinating insights Clemence, I really appreciate that you went through and looked at years worth of information because again, you've answered a question I have been having for some time is what happened after that attack? What has the discussion been? So I'm thrilled that you put this information together. And the name of the report is the Cyber Defense Report. I'll make sure that we link it in our show notes as well so our audience can read it directly. So they can read your insights directly. But I really appreciate you coming on the show and sharing your insights with me and the audience as well. Thank you so so much for your time today.
[25:01]
Clemence Poirier
You're welcome. Thank you for having.
[25:14]
Maria Varmazas
That'S it for T Minus Deep Space, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us@spacen2k.com or submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing space industry. T Minus Deep Space is produced by Alice Carouse. Our associate producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. With original music by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kielpi is our publisher, and I'm your host, Maria Varmazas. Thanks for listening.