The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada).
This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.
AcidRain, as the cyber-attack is commonly known, had a limited impact on Ukraine’s military operations as Viasat’s satellites were only used as a backup system. However, there are many lessons we can learn from it, the deputy chairman of Ukraine’s State Service of Special Communications (SSSCIP) General Oleksandr Potii, said during CYSAT.
1. AcidRain Exploited a Known Vulnerability
The attack happened in three stages, with the attackers first running a denial of service (DoS) against internet modems located in Ukraine. This allowed them to enter a ground-based satellite network on which Viasat’s KA-SAT were running – and operated by Eutelsat’s subsidiary Skylogic – by exploiting a vulnerability in a Fortinet virtual private network (VPN). With access to the management system of this ground-based network, they then deployed wiper malware to erase the hard drives of the modems, disconnecting them from the KA-SAT network.
In another CYSAT presentation, Clemence Poirier, a research fellow at the European Space Policy Institute (ESPI), mentioned that at least one vulnerability the attackers exploited to conduct the hack – which was on the Technical Report 069 (TR-069) protocol, used for remote management and provisioning of telecommunication terminals connected to the internet – was uncovered in 2019 in Fortinet VPN terminals and has been used by Russian threat actors many times since.
“If we look at other cyber-attacks on telecommunication satellites since the outbreak of the war, including Russian threat actors’ repetitive attempts to jam SpaceX’s Starlink terminals, we see many similarities with the Viasat attack,” Poirier said during CYSAT.
“When you look at all cyber-attacks targeting the space industry, most started from a compromised supplier of the alleged victim. The supply chain has become the weakest link in the industry, and cybersecurity companies have been warning space telecommunication providers for many years. I recommend IOActive’s reports, in which its researchers found vulnerabilities similar to the one used in the Viasat case.”
While he did not provide any details on forensics, General Potii acknowledged that the space sector needs to improve its cybersecurity posture. “There are way too many unpatched vulnerabilities used in this industry,” he said.
2. Post-Incident Communication is Key
Over a year on, there still needs to be more information on the attack, Poirier regretted. “There’s only a statement from Viasat but nothing from Eutelsat or Skylogic.”
This limits the reach of technical forensics, where the only data can be based on threat intelligence providers and security researchers and hinder a better incident response to similar attacks in the future.
"Communication about an attack is often as important as incident response itself, and the lack of information can make it very malleable,” Poirier added.
3. Cybersecurity Risk in the Space Sector Finally Acknowledged in Europe
According to Poirier, the Viasat attack helped policymakers better acknowledge that commercial telecommunication satellite systems are easy targets for threat actors, especially during armed conflicts.
However, she added that improvement was already underway before the Viasat attack and the cyber conflict in Ukraine.
First, the EU started implementing changes to improve the space industry’s cybersecurity posture with the second phase of the Network & Information Systems (NIS2) directive, proposed in 2021 and adopted in November 2022.
“Within NIS2, space is now considered critical infrastructure for the first time, which will allow the regulators to mandate the space sector to implement more cybersecurity measures,” Poirier said.
While she called this “a good step forward,” she warns that because NIS2 is a directive, it might take a long time to be translated into law in EU member-states. Therefore, space companies will need the willingness and much help to comply to see any improvement.
Read more: Threat Intelligence: The Role of Nation-States in Attributing Cyber-Attacks
“If you look at all national space laws today, none requests someone who wants to launch a telecommunication satellite to implement any cybersecurity. So, I think each nation-state should work on including cybersecurity provisions in their requirements.”
The researcher is not the only one arguing this, she told Infosecurity. “BSI, Germany’s cybersecurity agency, recently published an analysis on cybersecurity threats, including to the space sector. I know that France has started a public consultation to update the 2008 law on space operations and could add more cybersecurity measures. Even the EU is working on a space law in which cybersecurity provisions could be included,” she said.
Second, the EU Commission and the EU Agency for the Space Programme (EUSPA) are going to launch the first space-focused Information Sharing and Analysis Center (ISAC) in 2024, which will also help private space companies collaborate in cybersecurity.
Finally, Poirier noted that IRIS2, the EU’s future multi-orbit constellation, “has been designed with cybersecurity in mind from the beginning.”
4. Segregating Between Military and Civilian Infrastructure
On top of improving the cybersecurity posture of the whole space industry, nation-states should also start better segregating between military and civilian infrastructure, Poirier argued at CYSAT.
Today, with the emergence of new space technologies, around 80% of telecommunication satellites used by the armies are coming from commercial companies.
Because these are not always well protected against cyber-attacks, they are increasingly attractive targets. “They’re even more attractive than military infrastructure, which is used to being attacked, and thus generally better protected. And, at the beginning of the war in Ukraine, some space companies voiced their concerns of a lack of a clear process for responding and reporting an attack,” she said.
5. Building a Sovereign Telco Satellite Industry, a New Priority for Europe
As mentioned previously, one commercial company, Elon Musk’s SpaceX, has played a significant role in providing a reliable connection to Ukraine’s civilians and military, General Potii said during CYSAT. “SpaceX ‘s Starlink satellite system helped Ukrainians access emergency and critical services, such as hospitals, fire brigades or social services. Today, we are working with Starlink’s representatives in Ukraine to expand the service’s future capabilities.”
However, General Potii didn’t mention that Elon Musk was not willing to provide this service for free forever. At multiple times in 2022 and early 2023, the billionaire claimed his company would not be able to sustain funding for Starlink’s service in Ukraine any longer, unless the US military provided tens of millions of dollars of support per month.
“I don’t think developing domestic satellites is on Ukraine’s list of priorities at the moment, but such an event makes a great case for the EU to have its own constellation,” Poirier concluded.