According to experts, the outage of thousands of KA-Sat-9a terminals in several European countries can only be explained by an attack on the central Network Operation Center (NOC). The fact that terminals in different countries are affected is due to the organization of network operations. The different types of damage to different classes of modems and the targets of the attack, which occurred at the same time the Russian invasion of Ukraine began, remain unclear.
KA-Sat supplies satellite Internet to Europe and the Mediterranean region and, due to its independence from terrestrial infrastructure, is also used to connect technical systems in remote areas. Among other things, the operation of thousands of wind turbines was restricted. Wind turbines are still running and generating electricity, but they are no longer accessible for remote monitoring and control, he said earlier this month.
Initially reported as a “cyber event” by the operator Viasat, the US company has now confirmed to the Federal Office for Information Security (BSI) that it was an attack. Andreas Knopp from the Bundeswehr University in Munich explains, independence from terrestrial infrastructure is now making satellite Internet the most important means of communication in Ukraine. One of KA-Sat’s 82 “spot beams” is over Kiev.
To date, Viasat has not given the go-ahead for operators that are connected to the network, confirms Bernhard Neumeyer, CEO of IPcopter. The company equips fire departments with satellite systems for emergency communication. Your own Spotbeam 2 Plus modem works in routine tests, one affected customer’s modem shows only weak LED displays.
Neither DDoS nor EM nor Terminal Zero Day
The Spanish security researcher Rubén Santamarta was the first to propose a more detailed hypothesis to explain the attack observed since February 24. Based on his own research, he assumes that the KA-Sat network works for everyone whose modem was not damaged during the attack. According to his information, users from Spain and Portugal were not affected anyway. Among other things, users from Ukraine, Germany, Greece, Hungary and Italy were captured.
In his analysis, Santamarta concludes that the attack on the satellite network must have been directed at a central point. Ultimately, this is the only way to explain the seemingly random distribution on the US carrier’s network. A DDoS attack is not enough to explain thousands or even tens of thousands of faulty or just jerky modems. An electromagnetic pulse is also highly unlikely in view of distribution, as is direct seizure of Satcom terminals, for example through zero-day weak points. Rather, it requires control at a central gateway or NOC to compromise connected devices, for example with malicious code or a manipulated software update.
Attack on central NOC
Intelligence in the KA-Sat network is concentrated in a central NOC, explains Thomas Lohrey, former co-developer of satellite Internet access through KA-Sat at Eutelsat. The terminals, which consist of a satellite dish and a modem, are managed through gateways distributed throughout Europe. Software updates are regularly imported from there. The terminals only get the updates to the extent that the modem restarts after the automatically activated download.
An attack via a software update, as Santamarta suspects, would mean that the attackers would have spread their malicious code via the NOC. A query from heise online to the technical director responsible for Eutelsat in Turin has not yet been answered. Like Viasat, the subsidiary responsible for the NOC, Eutelsat, keeps a low profile.
with the litter box
Ultimately, only the NOC operator was able to clarify why only part of the KA-Sat network was affected and which part exactly. Little is known about which services in Ukraine were affected.
A targeted attack on terminals in a single country is almost impossible due to the structure of the KA-Sat network. Each gateway is responsible for ten spot beams covering locations in different countries. The assignment of the beams to the gangways is practically done with the scattering boat, according to a presentation by an expert.
The terminals can in any case use two gateways. If one is not available, a second is provided as a backup. If the attackers had selected a specific gateway for malware update delivery, terminals from different countries would be affected, which was also shown in the attack. At the same time, the modems in the “target area” of the attack could have been using their backup gateway.
Knopp explains, “Although beams are relatively independent of each other, outages don’t affect each other immediately, but if one gateway fails due to a cyberattack, all beams connected to it are affected.” So it could be that the Russians really wanted to cut off Internet connections in Ukraine, but also disconnected wind turbines in Central Europe from the Internet, Knopp speculates.
damaged modems
An attack through the central NOC would be a massive incident, says Lohrey, and “then many kinds of damage to terminals are conceivable.” The software update could write the wrong frequency selection to the terminals. After that, the terminals can no longer find the satellite and are practically paralyzed.
It’s also possible that the new software intervenes in the modem’s internal voltage management and interrupts sensitive high-frequency processes by turning it on and off, for example, or speeds up the “aging process” so that the hardware quickly gives up the ghost. Such damage would fit with the observations made by IPcopter, where the expert Neumeyer speaks of a modem whose LEDs only contract.
What can be read from one of the damaged modems from Germany is currently being investigated in the Heise laboratory. Viasat must take into account the loophole through which the attackers could have entered the NOC. Security politicians and the military may rack their brains over the political motive and meaning.
(application)