Welcome back, my aspirational cyberwarriors!
Satellite hacking is the new frontier in cyber warfare!
Satellites are an essential infrastructure in any industrialized, digitally advanced nation. Not only do they carry radio, television, Internet and telephone calls, but they are a critical element of each nation's military infrastructure. An attacker who can interfere or degrade satellite signals will have a decided advantage in any cyberwar. Even ignoring the impact on military reconnaissance and communication, attacks against the civilian infrastructure can cause significant communication disruptions and an overwhelming psychological impact on the civilian population. As any general in any army will tell you, psychological warfare can be nearly as impactful as kinetic warfare.
DDoS
Throughout the short history of cyber warfare, DDoS attacks have been favorite initial strategy to create confusion, promote disinformation, and generate anxiety among the civilian population. Most experts (your truly among them) mark the first cyberwar as the Russian invasion in 2008 of its former Soviet state, Georgia. Before marching into South Ossetia (a region of Russian-speaking Georgia), the Russians engineered a massive DDoS attack against the digital infrastructure of Georgia. The result was communications nation-wide was degraded and the Russians were able spread disinformation on their channels. The civilian population was distraught (can you imagine waking up one day without Internet, TV, or phone?) and the resistance fractured. The Russians marched in and still occupy South Ossetia to this day in 2024.
Russia used a similar strategy against Ukraine in February 2024 with one new wrinkle, they took down the ViaSat satellite infrastructure of Ukraine and nearby regions in other European countries.
This is likely the first entry into the history satellite cyberwarfare.
Let's take a deep dive into what actually happened.
Fortinet Vulnerability
Four years earlier, a cybersecurity researcher discovered a vulnerability in the Fortinet (Fortinet is US-based cybersecurity company that sells next-generation firewalls and VPN's among other things) VPN product that leaked the passwords where an HTTP request could make a directory traversal (../../) to a directory that stored the usernames and passwords on the device. In essence, an attacker could make a HTTP request and receive the passwords if they knew where to look. This vulnerability was designated CVE-2018-13379. Note, that this was nearly a 4 year old, known vulnerability at the time of the attack.
The vulnerability was described as:
Description
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
It was rated a 9.8 or critical. In plain language, this vulnerability allows the attack to navigate from the default directory to another directory that includes the username and password.
The Russians, likely the GRU in St. Petersburg, were able to use this vulnerability to gain access to a ViaSat management console in Turin, Italy.
If the folks in Turin had been doing their cyber threat intelligence (CTI) vigilantly, they would have noticed this alert on X (Twitter) the day before.
Note the date. It was literally the day before Russia attacked and the IP address of the scanner is from St. Petersburg, Russia.
Once the intruders gained access to the ViaSat management console, they proceeded to upload malware to the end user's network consoles via the satellite. This is the functionality that would normally be used to upgrade or update the firmware on the user's network device/router. This malware then proceeded to wipe parts of memory from the firmware rendering the terminals useless for receiving the satellite communications.
Collateral Damage Across Europe
The cyberattack didn't just affect Ukraine. Satellite services across Europe were disrupted, including outages for tens of thousands of internet users, and some essential infrastructure, such as wind farms in Germany, were knocked offline because they relied on ViaSat’s satellite communications.
Attribution to Russian State Hackers
Cybersecurity agencies, including the EU, UK, and US, attributed the attack to Russian military intelligence, specifically GRU hackers. The attackers likely intended to degrade Ukraine’s command and control infrastructure during the critical early phase of the invasion.
Summary
We are on the doorstep of a new era in cyber warfare where satellites and their networks will become prime targets. As their satellites and their networks are essential services in our modern digital economy, attacks against these systems can be devastating.
This incident highlights the role of cyber warfare in modern conflicts and the vulnerabilities of satellite-based communications that we all should cognizant of.
For more on Satellite Hacking, see our Satellite Hacking class, part of Subscriber Pro package.