I've investigated network equipment before, my findings were that you shouldn't trust any of it and use a standard Linux box whenever possible. The worst was consumer-grade modems/routers with low-hanging fruits such as backdoors, "forgotten" telnet servers left enabled, shell command injection in the web UI, etc but even enterprise stuff had its problems (thankfully, at least on enterprise stuff you can disable the web UI and any services you don't use, considerably shrinking the attack surface to pretty much just the kernel). And don't get me started on mobile network equipment where untrusted data is parsed at the kernel level and the motto is still security by obscurity (and the impossibility to obtain said equipment for the average Joe).
What I think happened is that they breached the control infrastructure which gives them access to an "internal" VLAN that the satellite terminals use to communicate with the mothership for firmware updates, configuration changes, etc, and from there were able to attack these as if they were locally connected (or worse - since that network segment is presumed "internal" and may expose services not normally available - think whatever is the TR-069 equivalent for BGAN terminals), either just pushing an incorrect configuration that prevents the terminal from connecting (essentially bricking it until you can get out-of-band access and reconfigure it properly) or obtaining root (via exploit or pushing a specially-crafted firmware update) and overwriting /dev/mtd* to completely kill the terminal.
"Cyberattack on satellite network" sounds so serious but I very much doubt it's got anything to do with the satellite part of it. They've done the equivalent of breaching into the management network at a terrestrial, wired ISP and sent garbage configuration over TR-069 to brick the modems. Attacking the satellite layer would require much more effort for essentially the same gain (and if your objective was to get into the satellite layer, why waste that access on breaking everything in a highly-visible way when you're better off silently sitting there and using the access to eavesdrop on everything, especially when it's used for SCADA traffic of critical systems that's itself unencrypted and vulnerable to tampering?).
From personal experience (I guess now that the statue of limitations has passed..) I was part of a large community of people in the not so distant past hacking into cable ISPs. Small ones were easy to bypass security mechanisms and spoof other customers devices or simply trick their servers into issuing valid configs, but obviously there was the one big one that I’m sure everyone has heard of. Anyway, before the community was shut down, in the quest to defeat the more stringent security mechanisms, a few folks figured out how to jump from modems to an internal VLAN, got access to privileged SNMP communities and eventually owned the entire network starting at the head ends and eventually made their way to the core routers (Of course, the provider used the same credentials for everything, in an industry that to this day doesn’t use 2FA). Eventually the community was shut down. However, said ISP never acknowledged the breach. If some hobbyists could figure it out, I guarantee that nation-states can do it.
> (and the impossibility to obtain said equipment for the average Joe).
when I worked on similar problems some years ago, we found out that certain radios were used across sectors with basically the same ucLinux kernels and toolchains, bootloaders, and SoCs. I agree with the "internal VLAN" assessment to a point, as these networks tend to backhaul their admin channel / control plane messaging back to their vendor.
The hardcoded credentials issue was the easiest win, where the firmware signing was actually not bad, but injecting packets over the point to point radio connections depended on whether both encryption was enabled, and some primitives implementation issues that I have no doubt any serious cyber operations group would have also found.
With this (speculative) radio packet of death, you could fly a spyplane over the region at super sonic speeds and cause the terminals to go dark - which would explain the relatively simultaneous / sequential failures and the physical path of the outages, which would be detectable in the monitoring data.
Strategically, it's the perfect signal and warning to any country looking to interfere, and it doesn't cost very much. Maybe it's nothing, but with Russia it's never nothing.
Fair assessment. I assumed spyplane because it also affected Italy and Greece, so there was a long arc of a flight path. It's possible it could have been the orbit of a russian electronic warfare satellite as well, as if you have a transmitter on it, encoding radio packets of death against poorly maintained linux kernel forks (hugely assuming that's what the terminals ran) is as trivial as loading a metasploit payload. I'm well into speculative fiction, but casting magic spells that stop machinery en masse isn't magic at all - and well within the capabilities of armchair admirals of electronic warfare who read and post on HN.
It would be interesting to see if there was any timestamp data about the order in which the terminals failed, as that would yield the flight path evidence, or indicate the presence of local transmitters in those regions, or if it were async, an internet based attack.
Reality is, the gear that runs critical infrastructure is still a joke, and I've said before that western exposure to cyber vulnerability will cause the US/NATO to hesitate in responding to Russian and Chinese aggression because they have to take on that domestic political risk of infrastructure failure, and in conflict, often hesitation is sufficient. Weakness invites predators, and here we are.
> "Cyberattack on satellite network" sounds so serious
yes agree -- third hand witness to actual ground station management of Small SATs here.. even internal engineers are locked out; multiple keys required to perform actions; closely monitored change-of-behavior networks, etc etc
beware of REALLY LARGE CLAIMS at this time -- peace out
A satellite data system used by the Ukrainian military was knocked out at the same time as the invasion, the outage started in Ukraine before spreading outward, and the damage is permanent - which would not happen in a botched firmware upgrade, where units would load a backup firmware image or get an image OTA, or be fixable via site visit.
Not exactly a 'really large claim' that this was an attack.
I'm very skeptical of the "damage is permanent" claim. I wouldn't be surprised if it's used to hype up the event even more just like the hype around the fact that this is satellite terminals being hacked even though I believe the attack is very boring and would equally apply to any terrestrial-based ISP whose management network is compromised.
I would bet good money that what they claim "permanent damage" is just misconfiguration that prevents the terminal from connecting to the network but can be recovered via an on-site visit, and hyping up the entire event also works in the company's favour as an ass-covering technique as I suspect the actual vulnerability is very simple & boring (which would be very bad if it were go to public that they have such bad security).
I think GP is saying that an attack that impacted the satellites flying around in space is a large claim, on account of their systems have better security. I imagine the idea of a many millions of $ satellite burning up because someone left a telnet server open is enough to make executives take sat security a little more seriously than say terminal security.
Don’t think anyone is really refuting the idea that satellite terminals being remotely bricked en-mass, just as two countries nearby go to war, is an attack.
My argument in my original post was that the fact that this is a satellite network is likely to be completely irrelevant to the actual attack and that the parts that were compromised exist just as well in a terrestrial-based network. However, "satellite network suffers cyber-attack" is a better headline than "local ISP was stupid and got their management network pwned" - the former implies extra complexity which works well for ass-covering and swaying public opinion, something they very much need if it turns out the vulnerability was very stupid & mundane.
> What I think happened is that they breached the control infrastructure which gives them access to an "internal" VLAN that the satellite terminals use to communicate with the mothership for ...
> ... whatever is the TR-069 equivalent for BGAN terminals ...
These VSAT terminals support TR-069 [0] and my first thought when I heard about this was a compromised ACS. It wouldn't be the first time.
This sort of what virtual networking devices are trying to solve, no?
Going to a full on box also increases your attack surface by adding a lot of unnecessary stuff.
Plus even with something completely in software you still need the physical hardware in there at some point - and those individual pieces will be running their own firmware and microcontroller software.
> why waste that access on breaking everything in a highly-visible way when you're better off silently sitting there and using the access to eavesdrop on everything
The subtle approach takes more time.
Take the PoV of the hypothetical Russian decision maker.. you can either take all them down now with something quick & dirty while the tanks are rolling, or inject a stealthy targeted piece of malware you haven't finished yet next week after Kiev is already in the hands of a puppet government....
Yes, this was my point. I don’t believe they’ve attacked anything satellite-specific and instead just pushed an intentionally-bad configuration or firmware update to terminals in the field.
Simultaneously, Russian ground forces have had a hell of a time using their encrypted radios, resulting in the logistical and tactical omnishambles observed by many, and fallback transmitting in the clear using civilian ham radios or cell phones.
Some have attributed this to difficulty in distributing encryption keys to forward units or just general incompetence, but one fun theory I saw on twitter is that Russia uses SDRs somewhere in their radio net and a similar poison packet bricked them all.
>Interfax reports that the Deputy Chief of the General Staff and the most senior communications officer in the Russian military, Colonel General Khalil Arslanov, has been arrested for fraud in relation to the purchase of special equipment.
>The case involves Colonel Pavel Kutakhov, who was arrested last week for stealing an estimated 30 M RUB from an 800 M RUB contract for comm systems.
30M rubles, pocket change
>Kommersant reports that Colonel General Khalil Arslanov, head of Russia's Signal Troops and Deputy Chief of the General Staff, was charged in the theft of 2.2 B RUB and was hospitalized after suffering a hypertensive crisis during his interrogation
2B rubles, now we are starting to talk real money
>After expanding their investigation, investigators discovered that Russian troops had received equipment that was made in China even though it was supposed to be from Russia (they changed the labels).
>The investigation isn't limited to 2.2 B RUB worth of theft, but also to fraud related to contracts for the Azart comm system built by NPO Angstrem JSC and Yaroslavl Radio Plant. Of 18 B RUB spent on the radios, 6.5 B RUB might have been stolen due to artificially high prices
6B rubles, ouch
>Arslanov says that they saved so much on the purchase of R-187-P1 Azart radios, 6.7 B RUB of the contract's 18.5 B RUB was allegedly embezzled, because the radios were purchased from China in almost finished form with some components added in Russia
To be fair, ten years ago in Afghanistan I observed a lot of difficulty with encrypted radios on the US side too. The SATCOM radios on our very expensive aircraft seemed to work only a bit more than half the time. Actual military radios are cumbersome and limited, and the keys change constantly, and the keys are a pain to load. Civilian cellphones and cheap walkie-talkies were used for a lot of communications that probably should have been encrypted.
Seems entirely plausible to me that someone pushed a firmware update which corrupted the firmware (even maybe at the fpga/bootcode level) and effectively bricked the devices. Not horribly complicated to do and once you've done it it would require physical access to recover each device individually.
Is there a plausible explanation for who would do this, besides Russia?
Is Viasat/Eutelsat a particularly good target for this for some reason (seems more like Iridium is used in these scenarios).
KA-SAT seems to be used for SCADA control of 11 Gigawatt worth of wind turbines in Germany, among other things [1].
Not sure at all if this was the intended/primary target, but Europe is certainly scrambling for every Watt at the moment...
Also note that KA-SAT/Viasat and Eutelsat seem to be different platforms. I've seen reports of services based on the former being affected (e.g. SkyDSL [2]), but not the latter (Konnect), so far.
I was also surprised to learn that Ka-band based stationary consumer satellite internet services seem to be using (mostly) plain DOCSIS as the protocol. That possibly introduces its own share of vulnerabilities due to OTA updates/provisioning.
Sure, but can you prove it to the public in enough certainty to declare war? No. Suppose it was Russian flag, they could very easily just claim they were framed - and they very likely could’ve been.
> Sure, but can you prove it to the public in enough certainty to declare war?
This is not a court of law, proof is not what is missing to declare a war against Russia. They have a credible nuclear deterent, that is why war is not declared against them by other countries.
It is in fact a very sweet idea to think that a war declaration depends on meeting or not meeting some evidentiary standard.
> have a credible nuclear deterent, that is why war is not declared against them by other countries
Nobody “declares” wars anymore. If Russia were believed to be responsible for this, it would make it politically feasible to attack their critical infrastructure through targeted (plausibly deniable) cyber attacks.
You misunderstood, or simply ignored the word “public”. In free press societies, you need the will of the people to go to war. You need a 9/11 moment. A casus belli.
> In free press societies, you need the will of the people to go to war.
Sure. And this consent can be produced when there is a need for it. “Proof” is not the missing component.
That American basketball player who the Russians detained? Casus belli. The cyber attacks? Casus belli. Shelled civilians? Casus belli. The NATO country cargo ships which got hit and sunk? Casus belli.
These are just the ones I can think of. A proper state aparatus can come up with many more and probably even better ones. Government officials will leak the background, solemn faced politicians will demand justice while friendly journalist will write up the whole thing in the most hearth wrenching way. If they want to they can.
So why do they don’t want to? Is it because the Russian army is so powerfull that we think we can’t overpower them? No. Is it because the Russian air defences are so advanced that they cannot be picked apart? No. So what is it which makes the west avoid a direct confrontation with Russia? Why are they doing this strange dance of supplying weapons to Ukraine and hurting Russia with sanctions, but not directly engaging with them troop-to-troop? It’s the Russian nukes.
> You misunderstood, or simply ignored the word “public”.
I don’t think so. You won’t “prove” anything to the public through detailed technological explanations. A fig leaf of deniability might be an interesting roadblock in a criminal prosecution where things have to be proven “beyond a reasonable doubt”. In a situation where there is a governmental will to engage in a peacekeeping mission (read: send troops to fck the Russians up) the evidentiary level is “can we find an authorative sounding voice in the whole government who can tell the right sod story to enough guilable journalist to sell the people on it”. That is such a low level of “proof” that one might as well assume it can be met nearly always.
Journalist won’t pour over the attack binaries using Ghidra to make an assesment about the relative probabilities that it has the signatures of being created by this or that advanced persistent threat group. The ones who would demand that level of rigour before publishing won’t get the scoop. The ones who are selected to spread the message will have a lovely hour with a very charismatic “expert” who will walk them through just enough of the detail to sound right but not to get bogged down in unnecesary complications. This chat will get translated into a single line in their article, maybe something like “experts at the National Security Agency matched the unique signatures of the cyberweapon to the advanced persistent threat group Tippsy Bears, a known front of the Russian Federation.” Followed by two pages of hearth wrenching human angle story about innocents suffering needlesly. That is the “proof” the public might get.
I was with you until you said prove it "to the public"
After the WMDs and 17 intelligence agencies agree fiascos, among countless others, I'm beginning to lean on the side of the media being able to sell snow to an eskimo.
I know this is US-centric and lots of europe/other parts of the world were much more skeptical of the WMD claims at the time.
Before people politically flame me, I mention the "17 intelligence agencies" for 2 reasons
1) getting 17 people to agree on anything is impossible, getting 17 gigantic bureaucracies larger each than most governments to agree on anything is asinine.
2) most of the evidence, if you read the redacted report, was trivially forgeable so as to be pointless in determining actual responsibility. "we found cyrillic characters in the code, only could have come from russia!"
Nobody likes Russians. This would quite frankly be the easiest sell in history.
Evil bad guys? Check. Innocent civilians? Check. Fighting far away from your own vulnerable infrastructure? Check.
If this was true and practical, there would be so many wars... pretty much every country has had some infrastructure hacked, most more than once, some by random groups, some by government sponsored hacking, some by exploiting outdated installation of services and some using very advanced techniques (eg stuxnet).
Depends on who wrote the rules and who wins. Its not like NATO/5eyes hasnt been going on about cyber warfare threats for at least 15-20years now, at least I've been aware of it for 17years.
"The [turbines] affected remain in operation and are producing clean renewable energy. ... they will operate in automatic mode and are fundamentally capable of self-contained and independent regulation."
Sure, I'd hope for a heavily decentralized system to have some capability of autonomous operation. But in the medium and long term, it can't be good to not be able to remotely monitor for failures requiring manual intervention or on-site mechanical servicing.
The problem is once again our godawful prior government. Many tens of thousands of jobs in the wind industry have vanished over the last years [1] because the Conservatives oppose renewable power and impeded it wherever possible - if it is because of corruption, incompetence, fear of the far-right that outright demonizes anything not fossil or nuclear I don't know. In any case, we simply don't have the staff to visit literally thousands of wind turbines, a lot of which are actually offshore, simply to replace routers.
>"Initially it took a few days for the Ukrainians to get the satellite phones up and working because the instructions on how to use it were in English, not in Ukrainian."
Seriously?! Did the president hire my parents to set up his satellite phone? I refuse to believe that a nation state doesn't have at least a couple of techs on their payroll with decent command of English. If this is true then it's just embarrassing on so many levels and I'm really afraid of how Ukraine has a chance at winning this war.
> Is there a plausible explanation for who would do this, besides Russia?
Any engineer could accidentally do it... I can totally imagine the release engineer accidentally pushing the dev version, only to realise later that the dev version doesn't have quite the right config to connect for example.
Blaming it on a cyber attack is a lot less bad than saying "whoops, we bricked everyone's modems".
It should be pretty easy to figure out which one it is, except if the deployment vector was actually a malicious firmware update.
A plausibly deniable exploit like that is probably orders of magnitude more expensive, and the timing is suspicious enough that it's probably not even worth trying. In any case, it's not like it's trivial to attribute (beyond reasonable doubt) a "transparent" cyber attack either.
There's still the incentive to cover it up externally and blame it on a cyberattack as opposed to poor internal processes that allowed such a bug to make it to production.
Dumb Question here but my thoughts were - why not push the corrupted update to the sats? AKA hack the sat firmware? I'm fairly certain that they aren't wide open doors but still - I would guess that it would be a lot easier doing it that way. Perhaps it was both, or someting else entirely. It will make for an interesting read one day.
It's easy to buy an end-user terminal and tear it apart on your workbench to develop an understanding of how it works. I don't know about you, but I haven't seen any satellites on eBay recently.
Also, most satellites are intentionally as dumb as possible, just a "bent pipe" transponder, putting all the complexity on the ground stations which are easier to service if something goes wrong. There might not be much to do on the satellite itself.
With the right commands, you could flip the satellite by 180 degrees, move it from Europe to the pacific ocean, or crash it into one of its neighbors.
All geostationary satellites need to be capable of at least some station-keeping to correct for drift, move them to other service areas, or move them to a graveyard orbit at their end of life. (Unlike LEO, GEO satellites don't carry enough fuel for de-orbiting, and friction is essentially nonexistent at that altitude.)
That layer of commands is hopefully very well protected.
The satellite layer is probably very custom and requires specific skills and initial recon work which could be visible and risky. In contrast, getting access to the management network and sending intentionally-malformed configurations or firmware updates to the terminals is much easier and doesn't require any satellite-specific knowledge. The satellite terminals (at least the router part of it) are just standard Linux embedded devices, so no special skills required.
If your objective is to disable the devices like they've done, attacking the "easy" layer is enough so why waste time on unnecessary complexity? Of course they might well have also done recon on the satellite side and collected valuable data they can use in the next round.
The satellite command and control is probably the one bit of the network that's actually hardened (possibly even air-gapped), completely proprietary, etc. - that bit is designed by the companies that make $200 million satellites, not the people who make fairly cheap modems and have different priorities.
The current generation of satellites themselves generally do nothing to the data stream - for each of the dozens of spot beams they're transmitting, they generally just take an RF signal from the ground station (multiplexed in various ways up to the satellite) and convert the frequency. Same with the receive path just in reverse.
The actual modulation/demodulation all happens at the ground station. This is because they expect modem technology will improve, but the satellite has to be able to work for 25-30 years. (Though in the industry they are talking about putting more and more 'software defined' functionality on the satellites, but again this will mostly have to go via their secure systems at the ground station, not from the terminals)
So there's basically no way to interact with any 'satellite firmware' unless you're in a very specific location (near their ground station) with extremely specialised gear.
Because it's one thing to attack hardware in Ukraine and have some collateral damage in other parts of the world, and an entirely different thing to directly attack an expensive space asset of another country just because it is used to provide service to Ukraine.
Also, the affected ground stations are in Germany, the satellite belongs to a US company.
I have personally seen that a lot of "cheap" point to multipoint contended access VSAT modems have very little security on them.
Would not be surprised in the slightest if something like a new firmware load or configuration push coming from the hub of the network was not properly validated by the modems using a secure crypto key/signature method.
Keep in mind that what we're talking about here is the European equivalent of the viasat/hughesnet/wildblue low cost, highly contended access geostationary vsat modem service. It's about the cheapest possible thing you can buy that is two way IP data via geostationary at 64:1 oversubscription ratio or more. There are very demanding economics factors in play that require the company to make the end user terminal hardware as absolutely cheap as possible, for all of the sub components (physical dish/mounting, LNB, Tx/BUC/SSPA, cabling, and modem).
It's not clear how any of the suggested attacks constitute 'permanent' damage:
disabling the transmitter, corrupting the antenna pointing logic, demod, power params can all be solved by reflashing the firmware and FPGAs. Not always simple but possible at least by the manufacturer.
One way to really destroy a transmitter is to transmit at full power without an antenna attached. Another is to burn the receiver front end by directing the full transmitter output to the receiver input. If the RF path is configured with software controlled RF switches a hack could burn out the front end circuitry for good. All depends on how permanent we're talking.
Well, if my paytv CPE experience means anything here…
One brand of electronic countermeasure would cause a firmware write that wouldn’t allow the receiver to boot because you’re a lazy hacker that didn’t lock the flash chip at the hardware WE pin level.
There were a couple of strategies to resolve:
1) remove chip and re-program (not fun on TSOPs)
2) JTAG reprogram (easy and cheap when computers had parallel ports: just some wires and a DB25 connector and the port can bit bang everything)
3) the device does a Power on self test. If it detects a corrupted flash file, it will grab a fresh and clean one from the satellite stream and overwrite your nasty one. You can trigger this by shorting/grounding the right address lines on the flash chip at the right time in the self-test. It won’t pass checksum validation and will think a corrupted update occurred and rewrite it.
That was all for the parallel flash chip (a 28 or 29f series I think).
If it was a serial flash chip like a 24 series, that would be even easier to deal with.
Can confirm that this kind of software is terrible. I've worked in SATCOM for years, we've deployed modems to military that have hardcoded passwords for web UI and SSH that you can google on the internet... Obviously some effort goes into firewalling all that off very carefully, and then often separate VPN over the top (hardware crypto, etc.), but the modems themselves are appalling. The SSH host keys also change when you do a firmware upgrade which makes me think that might be hardcoded and just changed in each version, not generated for each device... I haven't checked though.
Unfortunately that was the modem that the satellite operator required us to use, there was no other option!
If someone have access to bricked modem and can ship it for analysis we can try to collect evidence what happen and how modem was bricked - who knows, may be log partition wasn't overwritten or other artefacts are left (significant events like update are permanently logged).
As side effect, recovery instruction can be created.
Replying to @elonmusk
Is there anything to stop it on starlink?
Musk replies "game on".
The russians have recently demonstrated their ability to physically take out satelites, and willingness to use it. If Putin did that, creating a lot of debris, US would loose the space advantage and we would push human advancement in to space back by perhaps 1000 years while we wait for the skys to clear.
US MUST stop provoking Russia.
"game on" is hard to interpret as anything but a flippant challenge to a dangerous man with military resources in space.
Appeasing murderous dictators is also a good way to set back human advancement, on the ground and in space. Giving in just because your opponent might do something stupid is equally bad diplomacy.
Can someone versed in military doctrine / strategy talk about dealing with the uncertainty of a false-flag attack?
Does the best-known approach just boil down to weighing the cost/benefit of (acting | not acting) x P(most likely aggressor | some other cause)? Or has someone figured out a better approach?
The purpose of a false flag is to drive a certain narrative, so it's always accompanied by incessant media coverage. That is not the case here, the attack is likely for genuine tactical purposes.
Are you sure that false-flag attacks always involve a media blitz?
Just thinking that if I were planning a false flag, and I know that people would recognize it as such because of the media blitz, then I'd look for a workaround. That seems consistent with what we have here.
> What’s the point of a false flag if nobody knows about it?
I agree. A false-flag attack is all about optics.
But IIUC the GP, they're saying the SATCOM failure isn't widely known, so it wouldn't make sense as a false-flag attack.
That's where GP loses me. Because we are discussing it here, as members of the general public. And the discussion isn't limited to a small nerdy site like HN; it's also being covered by Reuters [0].
I usually use a 'what are either side saying about it' and then apply a 'there are always three sides to things <side A's, side B's' and the true event>' heuristic transform filter.
Unfortunately with all the censorship, service withdrawals, disconnections etc (from both sides) makes this approach .... difficult ....
My opinion is, let all the information flow. People are not sheep that need herding by the powers that be (again, I refer to both 'sides' here).
The outage itself has already been widely reported (at least in EU media), especially the (potential) impact on wind electricity generation capacities:
What I think happened is that they breached the control infrastructure which gives them access to an "internal" VLAN that the satellite terminals use to communicate with the mothership for firmware updates, configuration changes, etc, and from there were able to attack these as if they were locally connected (or worse - since that network segment is presumed "internal" and may expose services not normally available - think whatever is the TR-069 equivalent for BGAN terminals), either just pushing an incorrect configuration that prevents the terminal from connecting (essentially bricking it until you can get out-of-band access and reconfigure it properly) or obtaining root (via exploit or pushing a specially-crafted firmware update) and overwriting /dev/mtd* to completely kill the terminal.
"Cyberattack on satellite network" sounds so serious but I very much doubt it's got anything to do with the satellite part of it. They've done the equivalent of breaching into the management network at a terrestrial, wired ISP and sent garbage configuration over TR-069 to brick the modems. Attacking the satellite layer would require much more effort for essentially the same gain (and if your objective was to get into the satellite layer, why waste that access on breaking everything in a highly-visible way when you're better off silently sitting there and using the access to eavesdrop on everything, especially when it's used for SCADA traffic of critical systems that's itself unencrypted and vulnerable to tampering?).