Researchers at the Cybersecurity and Infrastructure Security Agency (CISA) discovered Russian hackers inside a United States satellite network. The hackers suspected of lurking on the satellite network are known formally as APT28, or “Fancy Bear“, a group with known ties to the Russian government.
The discovery was made after suspected anomalous behavior on the network.
CISA researcher MJ Emanuel discussed the incident at this year’s CYBERWARCON cybersecurity conference. Manuel believes the APT28 hackers were on the network for potentially months before the discovery.
The detection is concerning as it confirms Moscow’s cyber activities within critical United States infrastructure.
CISA and the FBI warned of Russia’s interest in satellite networks after Russia was attributed with a cyberattack against US telecom company ViaSat in Europe. ViaSat provides satellite internet connectivity to many parts of Europe, and the attack occurred just before the invasion of Ukraine by Russia in February 2022.
Satellite networks are largely operating with insufficient security protection, according to Gregory Falco, a professor at Johns Hopkins University. “All of these satellite telcos are a freaking nightmare when it comes to security posture,” he said.
A lack of standards in the space industry contributes to an inconsistent approach to security, per a CyberScoop report.
Security standardization led by the Institute of Electrical and Electronics Engineers (IEEE) is underway but will take years to formalize and be implemented by satellite companies.
A large part of supervisory control and data acquisition, or SCADA, traffic is unencrypted. SCADA traffic that goes through satellite communications is not end-to-end encrypted and is steered from ground sites to satellites and vice versa, making it of low effort to intercept and monitor.
Traffic running through other critical infrastructures, such as in manufacturing plants or operational technology, also is largely unencrypted. This has led to a surge of interest in the cybersecurity space to monitor (passively) the industrial internet of things and operational technology network traffic for auditing and visibility concerns.
