Today, NATO governments officially attributed the February satellite hack to Russia [1][2][3]. As you’ll recall, a hour before Russia’s Ukraine invasion, they took down Viasat’s satellite Internet service, which in turn impacted customers throughout Europe, including taking German windmills offline.
I thought I’d discussion some details, because:
it wasn’t a satellite hack
it didn’t stop the wind turbines from generating power
Satellite hacking is a thing, targeting either the satellite or the radio waves in between. For example, Russia could’ve pointed satellite dishes at the ViaSat "KA-SAT” satellite to jam their uplink. This wouldn’t impact one-way communications from the satellite, but most all Internet communications is two-way, so jamming signals going to the satellite is usually enough.
But that’s not what happened. They didn’t target the satellite or the radio communications. Instead, Russia hacked the modems on the ground, at each customer site.
The ViaSat modems in question here work much the same as the cable modems you have at home — their “SurfModem 2” is based on DOCSIS, the cable standard. There’s some additional details dealing with latency and frequency ranges, but otherwise the technology is similar.
They can be attacked like cable modems or DSL modems, by exploiting a vulnerability on the device, or by attacking the ISP that can update the devices.
In this case, the Russian GRU hackers broke into the ISP, a ViaSat partner company named “Skylogic”. Once inside Skylogic, the hackers sent malicious commands to the modems, telling them to “wipe” (erase) themselves. This removed the modem from the Internet.
In other words, the hackers involved didn’t need to know anything about satellites.
Moreover, even “hack” is overstated. Skylogic blames a “misconfigured VPN server” that allowed the hackers access, but that really wasn’t necessary. Russia could easily have bribed a Skylogic employee to give them access to the VPN. This sort of thing is becoming more common with ransomware. Employees visit dark net forums and will often give up such credentials for a few thousand dollars.
I mention this because along with today’s attribution, the NSA has published a document on “Protecting VSAT Communications” that as far as I can tell has nothing to do with this attack. If you were a Skylogic customer, there’s nothing you could do. If you were Skylogic itself, you’d probably need to secure your internal network in ways that would make it infeasible for any one employee to send commands to the modems.
The story gets legs because it affected Skylogic customers throughout Europe — especially those using it for critical infrastructure.
Things like oil wells and windmills have inconvenient locations and have long been customers of satellite services, even before the Internet. These days, it’s cheap and easy to setup a consumer satellite dish for remote monitoring and control.
But as others point out, just because communications stop doesn’t mean oil wells stop pumping or windmills stop turning. These systems are largely autonomous, able to monitor themselves for emergency conditions, and shutdown as appropriate. Remote communication failures are part of their risk models — if they depend upon communications to keep running they are designed wrong.
A perhaps more interesting angle on the story isn’t critical infrastructure or hacking, but “low earth orbit” and “mid earth orbit” satellites.
Satellite Internet so far has been from “geosynchronous” satellites. They appear “stationary” over a fixed point on the planet because they take 24 hours to orbit the planet. But this means their orbits are so high that it takes radio waves 0.5 seconds to travel out and back. This adds “latency” that is unacceptable for phone calls and annoying for surfing the web.
Low earth orbit (“LEO”) solves the latency problem, but satellites whiz by real fast. They are only visible for about 10minutes before they go from one edge of the horizon to the other. This is too fast for satellite dishes to stay pointed at them.
But a technology called “phased arrays” solves this. Elon Musk’s Starlink “dishes” are an array of 3000 small antennas that “steer” the radio beam toward the satellite. This not only tracks one satellite but allows immediate switching to another satellite. There are over 2000 of these satellites in orbit.
Elon musk sent 1500 Starlink dishes to Ukraine in response to the outage. Aid organizations sent another 3500 Starlink dishes. They dramatically change military applications, as they can’t easily be jammed.
On the other hand, this now makes Starlink a target of Russian hackers and intelligence services. I’m actually surprised Russia hasn’t tried to simply bribe a Starlink engineer to ship an update that bricks Starlink dishes, or at least, Starlink dishes located in Ukraine. (For Starlink to work, it must know it’s exact GPS location, so it’s pretty easy for wiper malware to know if the dish is inside Ukraine).