The February 24, 2022 cyberattack on the KA-SAT satellite of the US company Viasat in Ukraine set off one of the largest official cyberattacks against a nation in history. Nearly 20 countries, including 12 EU member states and the Five Eyes member states (US, UK, Australia, New Zealand and Canada), have accused Russia of responsibility.
The cyber intrusion came just hours before Russia’s invasion of its neighbor, at an event dedicated to cybersecurity in the space industry in Paris, France, on April 26-27, 2023. It was thoroughly discussed in a CYSAT 2nd edition. .
AcidRain, commonly known as a cyberattack, had limited impact on Ukrainian military operations because Viasat’s satellites were used only as a backup system. But there are many lessons to be learned from it, General Oleksandr Poti of Ukraine’s State Special Communications Service (SSSCIP) said in his CYSAT.
1. AcidRain exploits known vulnerabilities
The attack was carried out in three stages, with the attackers first performing a denial of service (DoS) against an Internet modem located in Ukraine. This allowed Viasat’s KA-SAT to run and exploit a vulnerability in Fortinet’s virtual private network (VPN) to infiltrate a ground-based satellite network operated by Eutelsat subsidiary Skylogic. is ready. We accessed this terrestrial network’s management system, deployed wiper malware, wiped the modem’s hard drive, and disconnected it from the KA-SAT network.
In a separate CYSAT presentation, European Space Policy Institute (ESPI) Research Fellow Clemence Poirier said the attackers exploited at least one vulnerability to carry out the hack. For remote management and provisioning of Internet-connected communication terminals.
Poirier told CYSAT, “If you look at other cyberattacks on communications satellites since the outbreak of war, including attempts by Russian threat actors to sabotage SpaceX’s Starlink terminals, there are many similarities to the Viasat attack. I know there is.
“If you look at all the cyber-attacks targeting the space industry, most of them started with the alleged supplier. The supply chain has become the weakest link in the industry, and cybersecurity companies have been We have alerted space communications providers and recommend the IOActive report, where its researchers found vulnerabilities similar to those used in the Viasat case.”
Although he did not provide details of the forensic investigation, General Poti acknowledged that the space division needs to improve its cybersecurity posture. “There are too many unpatched vulnerabilities in use in this industry,” he said.
2. Post-incident communication is key
More than a year later, Poirier regrets that he still needs more information about the attack. “There is only a statement from Biersat, nothing from Eutelsat or Skylogic.”
This limits the scope of technical forensics, the only data based on threat intelligence providers and security researchers, and prevents better incident response for similar attacks in the future.
“Communication about an attack is often as important as the incident response itself, and the lack of information can be very malleable,” Poirier added.
3. Cybersecurity risks in the space sector finally recognized in Europe
According to Poirier, the attack on Viasat helped policymakers better recognize that commercial communications satellite systems are attractive targets for threat actors, especially during armed conflicts.
But she added that improvements were already underway before the Viasat attack and the cyber conflict in Ukraine.
First, the EU will start implementing changes to improve the cybersecurity posture of the space industry in the second phase of the Network & Information Systems (NIS2) Directive, proposed in 2021 and adopted in November 2022. bottom.
“Within NIS2, space is now considered critical infrastructure for the first time, allowing regulators to mandate more cybersecurity measures in the space sector,” said Poirier. said.
She called it a “good step” but warned that since NIS2 is a directive, it could take a long time before it is translated into law in EU member states. Space companies therefore need a willingness to comply and a lot of help to see improvements.
Read more: Threat Intelligence: The Role of the Nation in Identifying Cyberattacks
“If you look at the space laws of all countries today, none require those who want to launch communications satellites to implement cybersecurity. think.”
Researchers aren’t the only ones making this claim, she said. Information security“German cybersecurity agency BSI recently published an analysis on cybersecurity threats involving the space sector. Even the EU is working on a space law that could include cybersecurity provisions,” she said.
Second, the EU Commission and the EU Space Program Agency (EUSPA) will launch the first space-focused Information Sharing and Analysis Center (ISAC) in 2024. This will also help private space companies collaborate on cybersecurity.
Finally, Poirier said that the EU’s future multi-orbital constellation, IRIS2, was “designed from the ground up with cybersecurity in mind.”
4. Separation of military and civilian infrastructure
At CYSAT, Poirier argued that, in addition to improving the cybersecurity posture of the space industry as a whole, states should begin to better separate military and civilian infrastructure.
Today, with the advent of new space technologies, about 80% of the communications satellites used by the military come from private companies.
They are not always well protected against cyberattacks, making them an increasingly attractive target. “They are generally better protected because they are even more attractive than military infrastructure accustomed to attack. We expressed concern about the lack of a clear process for responding and reporting,” she said.
5. Building a sovereign communications satellite industry, a new European priority
As mentioned earlier, one of Elon Musk’s SpaceX commercial companies is playing a key role in providing reliable connectivity to the Ukrainian civilians and military, General Potii told CYSAT. “SpaceX’s Starlink satellite system has helped Ukrainians access emergency and critical services such as hospitals, fire brigade and social services. We are expanding the future capabilities of the service.”
However, General Potii did not say that Elon Musk would not offer the service for free forever. From 2022 to early 2023, this billionaire has repeatedly stated that his company will not fund his Starlink services in Ukraine unless the U.S. military provides tens of millions of dollars in support each month. could no longer be maintained.
“I don’t think domestic satellite development is on Ukraine’s list of priorities at the moment, but such an event would be a great case for the EU to have its own constellation,” Poirier concluded.
