3rd Party Risk Management , Access Management , Business Continuity Management / Disaster Recovery

Russia May Have Caused Widespread Satellite Network Outage

Feds Issue Satellite Network Security Alert; Viasat Saw 'Deliberate' Cyberattack
Russia May Have Caused Widespread Satellite Network Outage

One of the big surprises in Russia's war with Ukraine has been the apparent lack of sophisticated cyberattacks to prepare the battlefield or support the invasion, cybersecurity experts say.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

But could Russia already be using highly targeted hack attacks? So far, Western governments have reported seeing no signs of direct hack attacks against Western critical infrastructure, such as power plants or banks, or spillover from online attacks that target Ukraine, such as out-of-control wiper malware akin to NotPetya, which Russia unleashed in 2017.

If this was happening, intelligence agencies such as the U.S. National Security Agency and Britain's GCHQ would no doubt be tracking it. But their suspicions would not necessarily be publicly divulged by the White House or allies, including Ukraine, at least immediately, depending on the risk it might pose. Rushing to attribute the attack might not offer any political benefit and could potentially reveal the sources and methods allowing Western governments to track such efforts or give Russia an excuse for further escalation.

Enter a Thursday alert from the U.S. government, warning that it is "aware of possible threats to U.S. and international satellite communication" - aka SATCOM - "networks."

The security alert, issued by the FBI and the Cybersecurity and Infrastructure Security Agency, also said that "successful intrusions into SATCOM networks could create risk in SATCOM network providers' customer environments."

Viasat Targeted

The timing of the alert is notable, given publicly available evidence already suggesting that Russia or an ally may have been targeting SATCOM networks to support its invasion.

On the morning of Feb. 24, when Russia invaded Ukraine, American communications company Viasat reported that it had suffered an online attack that disrupted access to numerous terminals. The disruption occurred at about the same time as Russian tanks began to roll over the border and missiles started hitting Ukrainian targets.

"For several days, shortly after the start of operations, we have had a satellite network that covers Europe and Ukraine in particular, which was the victim of a cyberattack, with tens of thousands of terminals that were rendered inoperative immediately after the attack," Gen. Michel Friedling, head of France's Space Command, told AFP.

That attack has not been attributed to any group or government. But security experts say that some Ukrainian weapons systems and defenses may rely on satellite-based communications for command and control.

One knock-on effect of the Viasat outage was that it disrupted about 5,800 wind turbines operated by Germany's Enercon across central Europe, Reuters reported. The operational technology impact prevented remote monitoring and control of the turbines.

"The exact cause of the disruption is not yet known," Enercon reported on Feb. 28, before the Viasat outage became known. "The communication services failed almost simultaneously with the start of the Russian invasion of Ukraine."

Viasat subsequently reported on March 1 that the "partial network outage" was "impacting internet service for fixed broadband customers in Ukraine and elsewhere" that rely on the Viasat telecommunications satellite known as KA-SAT, which serves 55 countries across Europe and part of the Middle East. It blamed the disruption on a "cyber event" that it said remained under investigation.

Remediation Continues

More than two weeks later, some users continued to report that their modems remained nonoperational. A Viasat spokesperson tells Information Security Media Group that as of March 4, the network had been "stabilized" and the company was "restoring service and activating terminals as quickly as possible."

As of March 11, Viasat tells ISMG, it was continuing to work with law enforcement officials, government investigators and an unnamed, third-party cybersecurity firm to probe what it said appeared to be "a deliberate, isolated and external cyber event" that continued to cause disruptions. Reuters first reported that the disruption was being probed by both the U.S. National Security Agency and France's National Cybersecurity Agency, aka ANSSI.

"There is no evidence to date of any impairment to the KA-SAT satellite, core network infrastructure or gateways due to this incident. Reports claiming that all terminals have been rendered permanently inoperable are not accurate. Further, there is no evidence customer data was compromised," Viasat says.

"Viasat is actively working with distributors to restore service for those fixed broadband users in Europe impacted by this event, with a priority focus on critical infrastructure and humanitarian assistance," it adds.

Risks to SATCOM Networks

What has been the impact of the disruption?

On Tuesday, Victor Zhora, deputy chairman of The State Service of Special Communications and Information Protection of Ukraine, told journalists that the disruption was "a really huge loss in communications in the very beginning of war," as Reuters reported of his press conference.

"That's probably all that I can say on this particular case," Zhora added.

The list of potential culprits appears limited, with Russia or its ally Belarus being obvious candidates.

CISA and FBI Issue Security Alert

The CISA and FBI alert urges all SATCOM network users and providers to take multiple steps to protect themselves, including using strong authentication and encryption and enforcing the concept of least privilege. It also urges providers to use "additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic."

Source: CISA and FBI alert: "Strengthening Cybersecurity of SATCOM Network Providers and Customers"

For more information on risks to SATCOM networks, the U.S. government alert issued this week references the U.S. intelligence community's Annual Threat Assessment, released last month. It says that China and Russia are both pursuing capabilities that would allow them to disrupt satellite networks as well as C4ISR, which refers to command, control, communications, computers - aka C4 - and intelligence, surveillance and reconnaissance - aka ISR.

"Russia is investing in electronic warfare and directed energy weapons to counter Western on-orbit assets," the report says. "These systems work by disrupting or disabling adversary C4ISR capabilities and by disrupting GPS, tactical and satellite communications, and radars."

Meanwhile, experts have warned that as Russia's invasion of Ukraine continues, the Russian government may yet escalate on the cyber front.

The Limits of Attribution

As noted, attribution remains a political exercise. Namely, governments typically only attribute cyberattacks if there's a useful reason for doing so. Where the U.S. and U.K. are concerned, in the past this has included attempting to name and shame the government sponsoring such attacks, as in the case of North Korean hackers targeting Sony (see: Cybersecurity Coordinator: Don't 'Waste a Crisis').

Likewise, government cybersecurity authorities have issued multiple alerts tied to Russian-sponsored attacks, including the widespread compromise of home routers as part of apparent attack prepositioning efforts (see: Turla Teardown: Why Attribute Nation-State Attacks?).

The CISA and FBI alert, meanwhile, shows that the U.S., French and other intelligence agencies have been closely tracking recent satellite network disruptions and expect to see more of them as Russia's war with Ukraine continues.

Accordingly, the alert calls on all organizations that provide or use satellite communications networks not just to better protect themselves but also to report any suspicious activity. "Given the current geopolitical situation, CISA's Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity," it says.


Update (March 21): Story updated to include details of wind turbine outage in central Europe.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.