A satellite ground station that functions as a hub connecting a satellite network with a terrestrial telecommunications network. the FBI and Cybersecurity and Infrastructure Security Agency have issued a new joint advisory warning American and allied satellite owners and operators that they “are aware of possible threats to U.S. and international satellite communication networks.” (Vsatinet, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

A week after Ukrainian military officials detailed how the hack of Viasat satellite modems caused a “huge loss” in communications right as the Russian army invaded, the FBI and Cybersecurity and Infrastructure Security Agency have issued a new joint advisory warning American and allied satellite owners and operators that they “are aware of possible threats to U.S. and international satellite communication networks.”

The language is notable, because in previous cybersecurity advisories put out in the wake of the Russian military build up and invasion, the agencies were always careful to emphasize that there were no “specific or credible threats” driving their warnings. In this case, the hack of a satellite network could provide malicious hackers with a pathway into the network of other victims.

"Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments,” the agencies warned.

The advisory never mentions Russia – or any other country or hacking group – by name, only citing “the current geopolitical situation” and CISA’s “Shields Up” initiative, which was stood up in the weeks leading up to the Russian invasion of Ukraine to proactively harden the cyber defenses of U.S. businesses and organizations ahead of potential cyber conflict between Russia and the West.

It also references the U.S. intelligence community’s 2022 annual threat report, which details how countries like Russia and China have incorporated anti-satellite capabilities into their arsenals, something the agencies claim is being done with an eye towards the U.S. Russia in particular “is investing in electronic warfare and directed energy weapons to counter western on-orbit assets…by disrupting or disabling adversary C4ISR capabilities and by disrupting GPS, tactical and satellite communications, and radars”

“Russia continues to train its military space elements and field new antisatellite weapons to disrupt and degrade U.S. and allied space capabilities, and it is developing, testing, and fielding an array of nondestructive and destructive counterspace weapons — including jamming and cyberspace capabilities, directed energy weapons, on orbit capabilities, and ground-based ASAT capabilities—to target U.S. and allied satellites,” the assessment notes.

The FBI and CISA give a bevy of detection and mitigation advice for satellite operators to focus on. It includes putting additional monitoring in place to search remote access tools (like TelNet and Secure Shell Protocol) communicating with satellite terminals. Such additional monitoring, placed at ingress and egress points to satellite communications equipment, could also pick up unexpected or unauthorized traffic to other networks, access of local or backup accounts and brute force login attempts.

For satellite communications network providers and customers, it mostly offers bread and butter advice around good cyber hygiene. Security personnel are advised to implement multifactor authentication for user accounts, use strong passwords, remove access privileges for expired accounts or credentials, monitor network logs for suspicious activity and have a strong incident response plan in place if a breach or compromise does occur.

It also references two other resources for network providers and customers: a technical guide for protecting very small aperture terminals (VSAT) communications developed by the National Security Agency earlier this year and the Known Exploited Vulnerabilities catalogue, a rolling, updated list of software and hardware vulnerabilities that have been used by malicious hackers in the past and that federal agencies must patch within two weeks of notification.

In keeping with past warnings, the advisory presses organizations to contact CISA or the FBI watch centers to report incidents and anomalous activity on their network, through either email ([email protected] and [email protected]) or phone (FBI: 855-292-3937, CISA: 888-282-0870).