On February 24, the first day of the Russian invasion of Ukraine, large parts of American satellite company Viasat’s KA-SAT network of high speed satellite services experienced disruptions resulting in partial network outages throughout Ukraine and several European countries. Tens of thousands of terminals suffered permanent damage and many were still offline more than two weeks later. Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection, described the satellite outage as “a really huge loss in communications in the very beginning of war.” Among others relying on KA-SAT are Ukraine’s military, intelligence, and police units.

Other countries were affected too, including Germany, Greece, Hungary, and Poland. Germany acknowledged that approximately 5,800 wind turbines, presumably those remotely operated via a satellite communications (SATCOM) link in central Europe, were knocked offline by the outage. According to SentinelLABS, the turbines themselves were intact but “remote monitoring and control” was impossible due to issues with satellite communications. Additionally, many of Eutelsat's domestic broadband service customers in the affected countries lost Internet access (KA-SAT and its associated ground stations were purchased last year by Viasat from European company Eutelsat, and are operated by a Eutelsat subsidiary). Der Spiegel reported that German government agencies were investigating the incident as a cyberattack carried out through an automatic software update installed at 5 a.m. on February 24—notably coinciding with the beginning of Russia’s invasion of Ukraine.

These events should call attention to two related issues. One is the cyber threat to satellite communications. The second is the potential role of the private sector in countering this threat. At first, cybersecurity researchers thought the network outages could have been the result of a distributed denial-of-service (DDoS) attack. The head of French Joint Space Command, General Michel Friedling, confirmed that the incident originated in a cyberattack, but also provided a key detail indicating that it was a different kind of attack. According to Friedling, “the terminals have been damaged, made inoperable and probably cannot be repaired.” This suggested a remotely exploitable vulnerability in a SATCOM terminal.

Russia too is keenly aware of the cyber threat to space systems. In early March, Dmitry Rogozin, the head of the country’s space agency Roscosmos, was quoted making an unequivocal statement that any hacking of Russian satellites would be treated as a justification for war. The warning followed reports by a non-state hacking group that claimed to attack Russian satellite imaging systems in response to the invasion of Ukraine. Rogozin denied these reports.

The criticality of satellite communication connectivity was highlighted once again when SpaceX CEO Elon Musk responded to a request from Ukrainian deputy prime minister Mykhailo Fedorov and sent Starlink system terminals to Ukraine to help it maintain continuous Internet connectivity.

After attempts to disrupt the Starlink terminals deployed in Ukraine were identified, Musk noted that SpaceX intends to focus on improving its cybersecurity capabilities and preventing signal disruption of the Starlink system. This might lead to delays in the Starship launcher development program and the launch of the second-generation Starlink satellite (Starlink V2). Gen. James Dickinson, commander of the U.S. Space Command, who testified at a hearing of the Senate Armed Services Committee on March 8, emphasized that he was impressed by SpaceX's ability to provide continuous internet access in war-torn areas of Ukraine. Dickinson said this proves the advantages inherent in the operation of large arrays of satellites or multi-platform space architecture in terms of redundancy, robustness, and the provision of advanced capabilities.

Analysts for the U.S. National Security Agency, the French government cybersecurity organization ANSSI, and Ukrainian intelligence are investigating whether the remote sabotage of KA-SAT was the work of Russian-state backed hackers. A Viasat official said a misconfiguration in the “management section” of the satellite network had allowed the hackers to gain remote access into the modems, knocking them offline. He said most of the affected devices would need to be reprogrammed either by a technician on site or at a repair depot while some would have to be replaced altogether.

This highlights the importance of the private sector in this context, specifically private cybersecurity companies and the private space sector. Cybersecurity companies played an important part in analyzing this intrusion and attributing it to Russia. For example, SentinelLabs researchers discovered new malware named “AcidRain” that was designed to wipe modems and routers. They identified, with a moderate degree of confidence, similarities between this malware and another discovered in 2018, which the FBI and Department of Justice had attributed to the Russian government. In a statement disseminated to journalists, Viasat confirmed the AcidRain wiper had been used in the February 24 attack against its modems. And, as noted earlier, SpaceX had a critical role in helping Ukraine deal with the consequences of the cyberattack and restore communication to the area. 

General Dickinson also stressed the importance of the private space sector. At the same March 8 hearing, when asked if there was a “legal framework” for U.S. commercial space companies that become involved in contested situations like SpaceX’s involvement in Ukraine, he said “We work very closely in our commercial integration cell on that very issue.” The commercial integration cell (CIC) is a group of ten commercial satellite operators that work with U.S. Space Command. It was originally created to share intelligence about threats in space and other issues of concern, given the military’s dependence on commercial space services. The cyber threat is a major one on this list.

After nearly two months into Russia’s invasion of Ukraine, the ongoing war demonstrates that hypothetical scenarios of cyberattacks paralyzing satellite communications are already taking place with a multitude of consequences. Civilians are victims on this front too, and the private cyber and space sectors have a critical role to play in providing assistance and mitigating damages. They should prepare for the future accordingly.

Dr. Gil Baram is a cyber strategy and policy expert. Currently, she is a Fulbright cybersecurity post-doctoral fellow at the Center for International Security and Cooperation (CISAC), Stanford University. Her postdoctoral research focuses on national decision-making during cyber conflict. Dr. Baram is an adjunct fellow at the Centre of Excellence for National Security at Nanyang Technological University in Singapore and a senior research fellow at the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University. Previously, Dr. Baram served as the Head of cyber and space research team at the Israeli think tank Yuval Ne'eman workshop for Science, Technology and Security.

Image: Flickr/U.S. Air Force.