According to experts, the disruption of thousands of KA-Sat-9a terminals in several European countries can be explained only by an attack on the Central Network Operation Center (NOC). The fact that terminals are affected in different countries is due to the organization of network operations. The different types of damage and attack targets to different modem sections, which occurred at the same time as the Russian invasion of Ukraine began, are unclear.
The KA-SAT satellite supplies Europe and the Mediterranean region with Internet and, due to its independence from terrestrial infrastructure, is also used to connect technical systems in remote areas. Among other things, the operation of thousands of wind turbines was restricted. Wind turbines are still running and generating electricity, but they are no longer accessible for remote monitoring and control, it said earlier this month.
Initially reported as a “cyber incident” by operator Viasat, the US company has now confirmed to the Federal Office for Information Security (BSI) that it was an attack. Andreas Knopp from the Bundeswehr University in Munich explains, independence from terrestrial infrastructure is currently making satellite Internet the most important means of communication in Ukraine. One of Ka-Saturn’s 82 “spot beams” is over Kyiv.
To date, Viasat has not fully clarified the operators connected to the network, confirms IPcopter’s managing director Bernhard Neumayer. The company equips fire departments with satellite systems for emergency communications. Their own modem Spotbeam 2 Plus worked in routine tests, with one affected customer’s modem showing only a weak LED display.
Neither DDoS nor EM or Terminal Zero Day
A more detailed hypothesis was first proposed by Spanish security researcher Rubén Santamarta. To explain the attack seen from 24 February. According to his own research, he believes that the KA-SAT network works for everyone whose modem was not damaged during the attack. According to his information, users in Spain and Portugal were not affected anyway. Among other things, users were caught in Ukraine, Germany, Greece, Hungary and Italy.
In his analysis, Santamarta came to the conclusion that attacks on satellite networks should be aimed at a central point. Ultimately, this is the only way to explain the seemingly random distribution in a US operator’s network. One DDoS attack is not enough to explain thousands or even tens of thousands of faulty or just jerking modems. Given the distribution of an electromagnetic impulse is also very unlikely, as is direct acquisition of SATCOM terminals, for example through zero-day weak points. Instead, it requires control over a central gateway or NOC in order to compromise connected devices, for example with malicious code or manipulated software updates.
Central NOC attacked
Intelligence in the Ka-SAT network is concentrated in the central NOC, explains Thomas Lohre, former co-developer of satellite Internet access via Ka-SAT at Eutelsat. The terminals, which include a satellite dish and modem, are managed through gateways distributed throughout Europe. Software updates are imported from there regularly. Terminals receive updates only to the extent that the modem automatically reboots after the triggered download.
An attack via a software update, as Santamarta suspected, would mean that the attackers would have spread their malicious code through NOCs. An inquiry from Haise Online for the technical manager responsible at Eutelsat in Turin has not yet been answered. Like Viasat, the subsidiary responsible for NOC, Eutelsat, is keeping a low profile.
with litter box
Ultimately, only the NOC operator can explain why only part of the KA-Sat network was affected and exactly which. Little is known about which services were affected in Ukraine.
Due to the structure of the KA-SAT network, targeted attacks on terminals in just one country are rarely possible. Each gateway is responsible for ten spot beams covering locations in different countries. According to an expert presentation, the assignment of beams to the gateway is practically done with scattering cans.
Terminals can use two gateways in either case. If one is not available, the other is provided as a backup. If attackers had selected a specific gateway for the delivery of malicious software updates, terminals in different countries would be affected, which was also featured in the attack. At the same time, modems in the “target zone” of the attack may have happened to use their backup gateway.
“Although the beams are relatively independent of each other, the interferences do not affect each other immediately, but if the gateway fails due to a cyberattack, all beams connected to it are affected,” explains Knope. So it could be that the Russians really wanted to cut Internet connections in Ukraine, but they also cut wind turbines from the Internet in Central Europe, Knopp speculates.
An attack through a central NOC would be a major event, says Lohre, and “then many kinds of damage to terminals can be imagined.” Software update may write incorrect frequency selection to terminals. After that, the terminals can no longer find satellites and are practically paralyzed.
It is also possible that new software interferes with the modem’s internal voltage management and disrupts sensitive high-frequency processes by turning them on and off, for example, or accelerates the “aging process” so that the hardware quickly gives up ghosting. Give. Such damage would be in line with observations made by IPcopter, where expert Neumayer speaks of a modem whose LED only twitches.
What can be read from one of the damaged modems from Germany is currently being investigated in the Haise laboratory. Viasat should be responsible for the loophole through which the attackers could have entered the NOC. Security politicians and the military can tell their minds about motive and political significance.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.