Space

(0) attackers < Back

Understanding the cyber threat:

Satellites are increasingly providing essential services. They have become an essential element for the successful accomplishment of military missions.

Nevertheless, for a number of years, and especially with the onset of the New Space, the issue of cybersecurity in space systems has been sidelined, if not completely ignored. The reasoning was that since cyber attack techniques were not as developed as they are today, the functional and budgetary priority was not necessarily allocated to the issue of cyber security.

 

The Space industry is organized around several segments:

• Ground Segment

• Link Segment

• User Segment

• Space Segment

Compromising the ground station is ultimately the easiest way to control a satellite because it provides the equipment and software to legitimately control and track it. Besides, it uses existing and established ground systems and attack vectors. The types of threats are generally the same throughout the life cycle of a satellite

Once in orbit, a satellite has limited physical contact with humans, although this does not mean that security threats are not present. Vulnerabilities in the software and hardware used the satellite can arise and impact the operation of the satellite and the robustness of security controls

​Compared to the Link Segment which corresponds to the interactions between the three segments, the User Segment deals with the applications of satellite systems. Applications such as navigation, television and communications often require dedicated hardware. Other systems use the data collected by these dedicated receivers to serve a specific product or application. For satellite television transmissions, a satellite dish and decoder must be installed to receive the channels provided and to perform the subsequent tuning and decoding of the broadcasts for viewing.

 

​When we talk about threats to the space sector it is first important to recall the different dimensions of the threat surface created by the sector’s morphology. In reality 4 segments are to be identified: space, ground, link, and user.

 

In the following section, we will provide examples to explain the ways in which attackers have found to target these specific segments. These examples focus mainly on use cases of state-sponsored attacker groups, but they should not suggest that organized cybercriminal gangs are not capable of acting on these threat surfaces.

 

 

The main advantage for an espionage group to leverage the Link segment is that it is difficult to identify. Indeed, the geographical location of the C&C server is very difficult to trace with this tactic since Internet-based satellite receivers can be located anywhere in the area covered by the satellite. The only drawback is the instability of the connection and its slowness. In this case ATK13 used a very simple method: Hijacking of DVB-S satellite links.

The question is, how is this possible? As Kaspersky reminds us, four basic elements are necessary:

- A satellite dish – the size depends on geographical position and satellite,

- A low-noise block downconverter (LNB),

- A dedicated DVB-S tuner (PCIe card)

- A PC, preferably running Linux

 

 

In January 2018, Symantec’s Targeted Attack Analytics TAA issued an alert for a major telecom operator in South-East Asia. The alert was linked to an attack by a group called Thrip, which collects information on satellite-operating infrastructure.

To date, known targets are satellite operators in the USA and South-East Asia but also defence contractors, telecom operators and organizations processing satellite imagery. In particular, the group looks for information linked to satellite operations and geospatial imagery.

Thrip’s tactics are referred to here as ‘living off the land’ and employ legitimate tools often already installed on its victims’ computers with some scripting and shell code that is hardly visible. It is therefore a dualisation of legitimate tools used by satellite operators on the ground for strategic and economic espionage.

 

 

There are many ways to spoof a GPS satellite. One way is to compromise the satellite's receiver and alter its output signal. In 2017, the U.S. Maritime Administration reported the first GPS spoofing attack against over 20 ships in the Black Sea.  Correspondence between one of the impacted vessels and their command center indicates that over the course of the attack, the GPS position displayed on their navigation tool sometimes showed ‘lost GPS fixing position’.  At one point during the attack, the spoofed location showed the ship was located near the Gelendzhik airport but was in fact 25 nautical miles from the reported location. According to a non-profit organization called Resilient Navigation and Timing, which monitors GPS incidents, anecdotal spoofing reports are not uncommon in Russian waters.

 

Attacks on the satellites themselves are less common in recent times. Nevertheless, most of the typologies of attacks described above (living off the land tactic, links hijacking, GPS Spoofing/Jamming, etc.) can be means to reach the space segment as a final target. Here, the most important risk is a takeover or an OT attack on a satellite. In 2008 in a scientific article by Jessica A. Steinberger reported on a Trojan horse attack that allowed hackers to break into the computer system of the Johnson Space Center in Houston, Texas. With this access they managed to reach the International Space Station (ISS) and disrupt on-board operations. This use case, which seemed unthinkable, was facilitated using old software on board with an almost non-existent patching policy for vulnerabilities.