Cyble-SATCOM-under-attack

Increased Attacks on SATCOM Observed

Maritime Operations at Risk

Introduction

Satellite Communications (SATCOM) is critical to the worldwide communications system.   Numerous satellite constellations orbit the Earth to fill this gap and increase performance. Terrestrial network infrastructures are physically constrained and simply cannot match the demands of certain activities.  These networks oversee the provision of internet access to individuals in remote regions, assist vessels and aircraft in operating safely, and provide essential communication links to the military and emergency services during armed conflicts or natural disasters.

The two essential components of satellite communication are the ground segment, which consists of permanent or mobile transmission, reception, and ancillary equipment and the space segment, which primarily consists of the satellite itself.

Satellites provide three major types of communication services:

1. Telecommunications:

Telephone calls and services given to telephone companies and wireless, mobile, and cellular network providers are examples of telecommunication services.

2. Broadcasting:

Broadcasting services include direct-to-consumer radio and television and mobile broadcasting services.

3. Data communications:

Data communications entail the transmission of data from one location towards another. Organizations and companies which must share financial and other information between their various locations employ satellites to enable data transfer via Very Small-Aperture Terminal (VSAT) networks.

The principal frequency bands utilized for satellite communication are S-band, C-band, L-band, Ku band, and Ka-band.

The Ku Band and Ka-Band are used in critical areas globally. For satellite communication, the Ku-band frequency spectrum (12-18GHz) is extensively utilized for maritime VSAT services. Because of its global capacity and excellent availability, Ku-band systems can be a cost-effective and versatile way of attaining high throughput on smaller reflector dishes than C-band VSAT, making them ideal for a wider range of vessels.

The Ka-band frequency spectrum (18-40GHz) for satellite communication serves as the foundation for a new generation of services on High Throughput Satellites (HTS), which use a spot beam configuration to deliver more bandwidth throughout the coverage area, as seen in locations where Supervisory control and data acquisition (SCADA) systems are used.

As SATCOM plays a vital role in communication between the critical units deployed globally, they are being actively targeted by attackers. A recent example of this can be seen from the cyber-attack launched on the world’s largest commercial satellite operators. Authorities are probing a suspected cyberattack that has disrupted residential broadband services in eastern European countries, including Ukraine, as shown in Figure 1. Netblocks mentioned that VIASAT KA-SAT networks are heavily impacted in Europe.

Figure – 1 Netblock Tweet regarding cyber-attack on KA-SAT network

Viasat stated, “a third-party cybersecurity firm was looking into the causes of an outage in recent days across its KA-SAT network, which provides high-speed satellite internet coverage in Europe and Mediterranean markets.”

Due to this attack, thousands of KA-SAT SATCOM terminals unexpectedly ceased working in various European countries and Ukraine. Enercon, a German company, stepped forward and admitted that around 5800 of its wind turbines, probably those remotely controlled via a SATCOM link in central Europe, had lost connectivity with their SCADA system. In the impacted nations, many customers of Eutelsat’s residential broadband service were also unable to connect to the Internet.

On the same note, a press conference was held by the Ministry of Armed Forces, France, where French Space Commander General Michel Friedling confirmed there had been a cyberattack against the satellite network. A screenshot of the press conference can be seen in below.

Figure – 2 France Ministry on Cyber-attack on Viasat.png

On January 25, 2022, the National Security Agency (NSA) issued a recommendation for securing VSAT networks indicating, that multiple agencies are looking into VSAT networks and the impact of cyber-attacks on these networks. After the NSA released these recommendations, the Cybersecurity and Infrastructure Security Agency (CISA), on March 17, 2022, issued an advisory stating, “The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risks in SATCOM network providers’ customer environments.”

Researchers at Cyble Research Labs believe that Threat Actors (TAs) will be targeting the Marine Sector extensively as the global oil crisis and fluctuation are rising due to the current geopolitical events surrounding the Russian-Ukraine conflict. Oil Tankers and Large Vessels are responsible for transporting oil from one point to another, making these vessels prime targets for attackers.

Due to the current imbalance in the trades between the countries, the possibility of cyber-attack on cargo ships carrying valuable, sensitive goods such as munitions or hazardous chemical products cannot be ruled out.

Given the trend of cyber-attacks on KA-SAT networks, we can assume that the Very Small Aperture Terminal (VSAT) terminals can also be in the crosshairs of potential attackers. VSAT terminals deployed on the marine vessels transmit data, video, or voice using satellite transponders that typically operate in the C-band and Ku-band bands.

Investigation Outcomes 

While investigating the threat to VSAT terminals deployed on marine vessels, multiple terminals are exposed over the Internet that can provide a lot of sensitive intelligence to potential attackers, as shown below.

Figure – 3 Exposed ACU Dashboard from the vessel

The Antenna Control Unit (ACU) is the system’s control unit. It manages all communication between the Above Deck Unit (ADU) and the attached VSAT Modem Unit (VMU), a connected PC, and an optional FleetBroadband service line.

The exposed web interface displays the hostname, including the vessel’s name, which can allow attackers to identify the system during remote login. Global Navigation Satellite System (GNSS) and Vessel Heading options within the web interface give the vessel’s exact location and its path to the attacker gaining access to the dashboard.

Few of the exposed web interfaces observed were still using the default credentials, which can provide attackers admin rights of ACU and its functions like manipulating satellite profiles, as shown in Figure 4. This might result in providing false readings to the operators.

Figure – 4 Satellite Profiles available on ACU

The Above Deck Unit antenna transmits Radio Frequency (RF) energy that is potentially harmful to the people operating on the ship decks. Hence web interface allows the operator to set no Transmit zones or Blocking zones. Each blocking zone is set up by configuring the azimuth elevation angle, as shown in Figure 5. An attacker gaining control over ACU can change these parameters, which can adversely affect the health of crew members working on the deck.

Figure – 5 No Transmit Zone settings

An attacker can gather sensitive information from ACU web interface like hostname, which is used for identifying the ACU in local networks and email reports, IP details, DHCP Server details, DNS source, Outgoing mail server (SMTP), SMTP port number, SMTP authentication, etc. as shown in Figure 6.

Gaining access to this sensitive information may allow attackers to execute further attacks on the network.

Figure – 6 Sensitive Network Information

An attacker with access to the ACU web interface can assign admin rights to a random user account, which might be used further to perform tasks mentioned in Figure 7.

Figure -7 User Permissions

An attacker can also manipulate the Navigation setting provided in the ACU web interface, as shown in Figure 8, which can start a chain of events, potentially leading to disaster.

Figure – 8 Navigation System Control

ACU web interfaces also provide firmware upload functionality, which an attacker can misuse. A malicious firmware file can be uploaded through the ACU, as shown in Figure 9, which can compromise the entire network and may also result in a ransomware attack.

Figure 9 – File Upload Functionality

The ACU web interface also enables restarting the antenna and terminal, resulting in the termination of all existing connections, as shown in Figure 10.

Figure – 10 Antenna restart option

An attacker can also manipulate the Voice Mail number and delete the messages within the web interface, which might contain sensitive information like upcoming events, plans, coordinates, and instructions, thus creating chaos on deck.

Some of the instances found also have a telnet port open, allowing an attacker to gain access to the complete ACU command-line interface. Command-line for ACU allows the manipulation of all the settings for ACU and gaining sensitive information like system information, satellite profile configuration, active events, etc.

Impact

  • Crossing satellite boundaries from one provider to another must be carefully managed. VSAT terminals deployed on vessels play a crucial role in maintaining satellite connectivity; if the VSAT terminals are compromised, an attacker can break this critical communication link.
  • The ship’s operator uses VSAT connectivity to track vessels as they transport large and sensitive quantities of goods. An attacker restarting or compromising ACU units puts the vessel operator in a blind spot.
  • ADU units emit radiation for which the vessel operators configure no transmit zones on deck as the threat actors can manipulate the angles of these no transmit zones. This poses a great health risk to the sailors working on the deck.
  • Email, SMS, and Telecommunications occurring on the ship deck can be deleted or spoofed by a malicious attacker.
  • False information provided to the vessel operator through a compromised ACU by an attacker puts the vessel route in question potentially endangering the vessel and it’s crew.
  • By connecting the company’s marine and river fleet vessels with VSATs, the ships can be linked into a single private corporate network capable of instantaneously transmitting information between the head office, dispatch consoles, and ships. Implement operational management for the entire fleet and each vessel, such as continuous monitoring, real-time advice, the transfer of meteorological, commercial, and administrative information, weather forecasts, and so on. This important information can be manipulated and blocked by an attacker.
  • VSAT terminal vulnerabilities allow for attacks that interrupt or spoof information consumed by onboard navigation systems such as Electronic Chart Display and Information System (ECDIS).
  • An attacker can target the vessel’s complete communication systems, including broadband service, video conferencing, VHF/UHF radio, while interacting with exposed ACU units.

Conclusion

VSAT terminals are the crucial link between shipping line operators, vessel operators, and crew members. Seeing the current trajectory of cyberwar taking place, it is fair to assume that attackers will be targeting the potentially vulnerable SATCOM infrastructure in marine operations. A successful breach through an exposed ACU can result in devastating accidents, and hence correct safety precautions must always be followed to prevent such attacks.

Recommendations

  • Do not expose the ship’s satellite IP address to the public Internet. Make certain that the ship’s satellite is not accessible to the public. The terminal must remain shut. Most ship satellite systems include a set of individual IP addresses. Only crew members should be aware of the IP addresses that allow access to the terminal.
  • To avoid assault, always update satellite terminals regularly. Terminal manufacturers provide new versions of terminals on a regular basis, necessitating regular examinations. 
  • Use a Strong Password Policy. While configuring VSAT terminals for ships, it is important to keep strong passwords that are shared with concerned authorities only.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Include threat intelligence in the current cyber security infrastructure of the organization to predict attacks and intrusions.

Disclaimer

All information provided in this blog is for general information and educational purposes only and for no other purpose. It is not intended and should not be construed to constitute an advice of any nature whatsoever. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of independent advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. The contents, opinions and findings rendered are subjective. Cyble reserves the right to modify the contents of this blog at any time without prior notice. Although reasonable efforts have been made to include accurate and up-to-date information herein, however Cyble makes no warranties or representations of any kind as to its accuracy, correctness, currency, or completeness of all the contents stated in the blog. The contents of the blog, any discrepancies or differences of any nature whatsoever, are not binding and have no legal effect for compliance or enforcement purposes or for any other purpose. You agree that access to and use of and reliance in any manner on this blog including all the contents thereof, is at your own risk. Cyble disclaims all warranties of any kind, express or implied. Neither Cyble nor any party involved in researching, creating, producing, or delivering this blog or anything related thereto shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this blog in any manner, or any errors or omissions in the content thereof.”

Scroll to Top