CISA researchers: Russia’s Fancy Bear infiltrated US satellite network

Researchers at the Cybersecurity and Infrastructure Security Agency recently discovered suspected Russian hackers lurking inside a U.S. satellite network, raising fresh concerns about Moscow’s intentions to infiltrate and disrupt the rapidly expanding space economy.

While details of the attack are scant, researchers blamed the incident on the Russian military group known as Fancy Bear, or APT28. It involved a satellite communications provider with customers in U.S. critical infrastructure sectors.

Responding to a tip about suspicious network behavior, CISA researchers found hackers inside the satellite network earlier this year. MJ Emanuel, a CISA incident response analyst who discussed the incident at the CYBERWARCON cybersecurity conference last month, said it appeared that Fancy Bear was in the victim’s networks for months.

Space security is a growing global concern, especially as key industries and militaries around the world increasingly rely on satellites for vital communications, GPS and internet access. A cyberattack against the U.S. telecom company Viasat, which provides internet service in Europe, disrupted internet service in Ukraine just before the Russian invasion in February. That attack, which officials blamed on Russia, is one of the most significant digital assaults of the war and lead to a warning from the FBI and CISA about other potential Russian infiltration of satellite systems.

Gregory Falco, a professor at Johns Hopkins University who focuses on space cybersecurity, described the state of satellite security as “the most critical and vulnerable than any other point in history.” Satellite systems, he argued, can no longer operate through security by obscurity as vulnerabilities and attack patterns that used to be limited to classified environments are increasingly public.

Falco noted that a lack of standards in the space industry contributes to an inconsistent approach to security, leaving many systems vulnerable to attack. “All of these satellite telco’s are a freaking nightmare when it comes to security posture,” he said.

Efforts to create technical cybersecurity standards for space technology at the Institute of Electrical and Electronics Engineers and the International Organization for Standardization are underway. But those initiatives will take years to develop.

Other issues that concern cybersecurity experts include the rapid increase of entrants in the market that may not be placing sufficient focus on security, particularly as those companies aim for high-paced manufacturing while keeping costs low by relying on commercial parts, according to a report by the Aerospace Corporation.

The satellite network intrusion that CISA discovered is a prime example of the kind of lax security that can offer attackers a gateway to infiltrate critical networks. It appears that Fancy Bear exploited a 2018 vulnerability found in an unpatched virtual private network, giving its hackers the ability to scrape all the credentials with active sessions.

Because the targeted satellite communications provider used the same credentials for “emergency” accounts as ordinary ones, the hackers were able to re-use the stolen credentials for emergency accounts that made it easier for the hackers to move around the system. At the time of the intrusion, the company was also transmitting unencrypted supervisory control and data acquisition, or SCADA, traffic, which can include data like the state of industrial devices and commands from control centers, Emmanuel said.

Unencrypted SCADA data flows are not uncommon, said Aaron Moore, executive leader at cybersecurity firm QuSecure and a former DARPA program manager for satellite programs. Moore said that the majority of SCADA traffic that goes through satellite communications is not end-to-end encrypted and are “steered” though a myriad of routes from the ground site beaming up the information to the satellite and back down to receiving ground site, making this data fairly trivial to intercept.

To improve the industry’s security posture, CISA has argued in the past that space technology should be designated critical infrastructure, which would give the industry greater access to intelligence sharing mechanisms and disaster planning resources.

The idea has been around for some time, but does not appear to be gaining momentum, with National Cyber Director Chris Inglis saying last year that “we’re going to walk, not so much away from the critical sectors, but towards this idea that what we’re really interested in is the threats that cut across those.”