Lessons from the Viasat cybersecurity attack.

A few hours prior to the Russian invasion of Ukraine on February 24, 2022, Russia's military intelligence launched a cyber attack against Vyassat's KASAT satellite network, which was used by the Ukrainian armed forces. It prevented them from using satellite communications to respond to the invasion. After the Vyassat attack, numerous cyber operations were conducted against the space sector from both sides of the conflict. What have we learned since the Vyassat attack? Welcome to T-minus Deep Space from N2K Networks. I'm Maria Vermazes. Clemence Parier is a senior cyber defense researcher at the Center for Security Studies at ETH Zurich. She's written a report on the Vyassat cyber security attack during the war in Ukraine called "Hacking the Cosmos – Cyber Operations Against the Space Sector." I'm Clemence Parier. I'm currently a senior cyber defense researcher at the Center for Security Studies at ETH Zurich in Switzerland. I'm mainly doing research about cybersecurity in outer space. And prior to that, I was a research fellow seconded by CNES, the French Space Agency at the European Space Policy Institute in Vienna, Austria. And my background is more in international relations. Fantastic. Well, thank you so much for joining me today. And congratulations on this study that you have just released out into the world. A really fascinating look at cybersecurity in space, but very much more specifically, I don't want to give it away. I'd rather you describe it than me, but tell me a bit about the study that you did. Let's talk about that. Yeah, sure. So basically, I think we can go back to 2022 because when the war in Ukraine started, of course, the invasion actually started with a cyber attack against the satellite, which is now a famous Biasat hack. And prior to this, there was very little interest from the space sector for cybersecurity issues. And it was a bit overlooked, whether it's from engineers or the industry or public policies. So nobody really paid so much attention to that. And the threat was a bit overlooked as well. But when the Biasat hack happened, it was a bit of something like the parallel war for the space industry in some ways. It was really a wake-up call. So I decided back then to analyze this attack and analyze what happened, but also what that meant for Ukrainian armed forces and their ability to respond to the invasion, but also all the ripple effect that this attack created across Europe and what it also meant for the European space sector. And after this first attack, I asked myself, okay, how many other attacks affected space systems in this conflict? Because everyone saw how Starlink is used to conduct military operations there, but also used by the civilian population and how it's a central aspect of accessing connectivity there, but also how satellite images are used, how navigation, so GPS, are used in the conflict. So I asked myself, naturally, there would be probably a lot of operation against space systems. So I decided to look into that. And so I crawled through hundreds and hundreds of telegram channels, Twitter account, hacker forums, and a bit weird websites, to be honest, and tried to see and map groups that took sides in the conflict, because that's a big trend that happened in this war. Hactivist group popped up and took sides in the conflict. And I decided to check how they would talk about space, how they would talk about attacking the satellites or the space sectors or space companies. And so I mapped hundreds of groups and I found 124 cyber operations that targeted the space sector in the context of the war. So by groups that either took side in the conflict or claimed that the attack was related to the conflict directly. And so that's the main finding of the report. That's fascinating. There's so much there I want to dig into. So I think it's been really fascinating how much that Viacet attack really changed the conversation about space cybersecurity. I think previously to that, there was a sense of, I'm not a military asset. I don't need to worry about it or I'm in compliance with government security standards. So I'm fine or nobody's targeting me. This is not an issue. All the conversation has completely changed since then, and especially with commercial players as you mentioned with Starlink and also Viacet as well. There is a whole level of complexity that is there. I'm so fascinated that you not only looked at the attack itself, but also what came after in those conversations. Because that's been actually a huge question I have had in the last two plus years is for adversaries, for threat actors, how has the conversation changed for them? What are they saying? Do they still see, do they see space as a domain where they feel that they can make an impact for lack of better poor terminology on my part? But what did you see from those conversations on all sides of the conflict? Is this a domain where people feel comfortable and what kind of attacks are they trying to leverage? Are they all similar? Are there a lot of different tactics being deployed? I'm sorry, I have so many questions. I'm so fascinated here. What I first noticed is that those hacker groups on their Telegram channels, hacker forums, Twitter accounts, they really see space as a topic of fascination. So they really use space as a way to gather their communities and their members and create online engagement. So they very often talk about space exploration or whatever is in the news in space. They sometimes share fun facts like the first time that coffee was brewed on the ISS or this kind of things that you would not really expect on a hacktivist group communication channel. They're nerds at heart. Exactly. That's very funny because you don't see that about other sectors of the economy, but they also see space as an ultimate challenge and something that would bring a lot of media attention if they succeed. That is something that is perceived as more difficult to hack. So you see some groups that talk almost in a childish way like, "Oh, can we hack a satellite? Can we hack a NASA satellite?" And so they discuss about whether that's feasible or not. And they really see this as the final frontier for their cyber operations. An notoriety. Yeah. Yes. That's definitely how it's perceived. But at the same time, when you look at their operations against the space sector, you also see that there are no groups that are specialized or entirely dedicated at targeting the space sector. So there's not one group that only targets the space sector. All the cyber operations that I could find were random almost among bigger campaigns against specific countries. So it's quite the opposite, in fact, where they actually do not know so much about space. A lot of them say, "Oh, it was our first attack against the satellite." Or, "It was very complex for us to understand how the network was operating." Or, "How a satellite functions." Or, "It was very hard to enter into the network." And so they really acknowledge that and that difficulty. It also shows that maybe cybersecurity is a bit different in space than on Earth. And it's also interesting that Microsoft and OpenAI also disclosed that Russian hacker groups, FensiBear, also used chat GPT to ask questions about how satellite communication functions and how to target them. So they didn't specify whether they could link it to an actual operation. But that also says that there's still a knowledge gap for threat actors about how to enter into a space system. So the space sector is not necessarily well protected, but because the nature of the system is a bit different, it also saves the sector a little bit. We'll be right back. Yeah, so it means, sadly, it's just a matter of time and expertise gathering, which it will happen. It's always an arms race with this kind of thing. That is fascinating. Security through obscurity is helping space right now. It's amazing. But again, that is just a matter of time, sadly. I don't want to sound like a fearmonger, but it's the reality. What were the nature of the attacks, or at least attempted and successful? What did you see targeting the space sector? So I was really surprised because, of course, the war in Ukraine started with the VF attack, which was extremely complex and sophisticated, with several steps in the attack, a DDOS, then enter into a network and wipe a malware, et cetera. So it was really destructive. And that was not the case of all the attack that followed. Most of the attacks were rather unsophisticated. So the majority distributed denial of service, mostly on websites of space companies, space agencies, or authentication portals of space services. But it's not because do's were unsophisticated that they were not damaging in some ways. So sometimes just targeting the authentication portal of Starlink was enough to prevent users from using the service and accessing connectivity. So in the end, they didn't really need to have to conduct highly complex, sophisticated operation. A smaller percentage of operations were intrusion into satellite networks. And I could also find a lot of hack and leak operations or data breaches. But then I couldn't find any other example of a wipe a malware. Maybe it happened, but I just couldn't find any example with open source data. That makes a lot of sense. That's a fascinating array. I always feel a little bad describing these things as fascinating because there are real damages and real lives, especially because the Russian-Ukrainian conflict, there are real lives that stay here. So as the war continues and the landscape of what is considered fair play continues to include space, given all your findings, given what you saw, I suppose I'm asking, what does this mean for folks in the space sector? What do providers need to know? What's your advice? So that's the good question is like, what do we do about it now? So what we saw is that for a long time, the space sector overlooked the threat. And even when cybersecurity companies would notice unpatchable narrabilities in a lot of user modems or ground station and would raise the issue with the industry, they wouldn't really do much about it. They wouldn't really care or be aware of the potential damaging aspect of the threat. So I think now with this conflict, the industry is much more aware of the risk and understands better also what a cyber attack on a space system is. And I think they also understood that even though they might be completely civilian or fully commercial and are not whatsoever linked to a conflict or providing services to belligerent, they can still be attacked because most of the operation I could find were against civilian or commercial companies. In fact, like 61% of the operations were against commercial entities. So it is not surprising considering the involvement of companies in the conflict. But it really shows that the space sector has to broaden its threat model and that the threat model changes rather quickly. So whenever you have a new customer or that one of your old customers then gets involved in an armed conflict, you are going to be attacked. It's not a matter of if it's when. And we saw that Starlink was attacked several times, but also sidelight images providers, space agencies, etc. So the space sector is a target and it doesn't really matter whether by law or under international humanitarian law you are really a legitimate target. The threat actors, they consider them as such. So you have to protect yourself. And then what was also interesting in the study is that I could not find any example of a cyber attack targeting the sidelight in orbit directly. So all the cyber attack were targeting the user segment, the ground segment, or what I call the user interface, so like the IT environment of the company or the agency. And sometimes that was enough to create damage or to prevent a sidelight system from functioning properly. So they didn't really know or need to target the sidelight in orbit. So I think it's also a realization for the space industry that the systems on Earth are the ones that are going to be the most targeted and that you should protect the most. Then there are some challenges specific to space because, for instance, traditional cybersecurity solution do not work so well in space or are not necessarily adapted to the conditions of the orbital environment because the orbital environment is naturally hostile. So you have radiations and solar flares and extreme temperatures and the far distance from Earth. So sometimes it creates impact on the cybersecurity solutions that you're going to implement. So I think there's a very good opportunities in the market for the space cybersecurity vertical where a space cybersecurity solution adapted for space systems can be developed. There's an aria of knowledge that still needs to be developed with new solutions that are truly adapted to the systems. So this is something that we see emerging. We see the emergence of startups that are specialized on space cybersecurity. It was it didn't exist before. So I think it's a good aspect for the industry and it can also make the space economy bigger. But then one another challenge is that by law right now space operators, they're not, they do not have to implement cybersecurity. So if you want to get a launch license to launch your satellite in orbit, you don't need to prove your cybersecurity or that you implement implemented any kind of cybersecurity. And most national space laws do not have any provision include that integrate cybersecurity measures. So right now it's it's slowly changing. You have some new texts that are submitted for adoptions or new laws that were just recently adopted. So in Europe, the the NISTU directive in the EU that now considers space as critical infrastructure requires the space sector to implement stricter cybersecurity measures. And this is a directive. So that means that EU member states have to implement that law in in their national law. So this is something that is a long process that that takes time. And that also means that those strict cybersecurity requirements, they're also very general. They're not necessarily adapted to the space sectors. So the the state and and probably the industry would have will have to work together on how to implement this in the best way. So that's that's definitely a challenge. Yes, absolutely. Yeah, it's it's fascinating that you've identified that there's that that knowledge gap, both in terms of the defenders that the market can benefit from as with the growing space cyber market, which I'm always fascinated to watch as people are trying to fill that gap because there aren't a lot of people who understand it very well, or at least well enough to be prescriptive in helping companies harden their their assets. But especially on the the attacker side, that again, there's that knowledge gap. But inevitably, it will people will figure it out. And it's a matter, I suppose, who gets there first, hopefully, hopefully the defenders. But for everyone's sake, but it is it is fascinating to see, you know, people are going to go after the easiest targets first and ground systems and ground based infrastructure is still the easiest. So that's what they're going to go for. The fascinating insights, Clemence, I really appreciate that you went through and looked at years worth of of of information, because again, you've you've answered a question I have been having for some time is what happened after that attack? What has the discussion been? So I'm thrilled that you put this information together. And the name of the report is the cyber defense report. I'll make sure that we link it in our show notes as well so our audience can read it directly so they can read your insights directly. But I really appreciate you coming on the show and sharing your insights with me and the audience as well. Thank you so so much for your time today. You're welcome. Thank you for having me. That's it for Team Ina's Deep Space brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. You can email us at space@n2k.com or submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing space industry. Team Ina's Deep Space is produced by Alice Carruth. Our associate producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Pertrella is our president. Peter Kilpey is our publisher. And I'm your host, Maria Varmasas. Thanks for listening. [MUSIC PLAYING] , and I'll see you next time., bye. . [MUSIC PLAYING] , and I'll see you next time.