GhostSec Targeting Satellite Receivers

Ground Control to Major Tom: Ransomware Groups & Hacktivists Targeting Satellite and Space Industry

Organizations and Devices that operate within Space Industry and SATCOM Networks have become an increasingly important element of a nation’s Critical Infrastructure. Satellites orbiting the Earth provide essential services for national security, economic growth, scientific research, and everyday life. The growing reliance on SATCOM has led to a recognition that any disruption or degradation of space services could have severe consequences for security and the economy.

One of the significant risks to the service utilized in this sector is cyber threats. Satellites rely heavily on computer systems and networks to function correctly. Threat Actors could exploit vulnerabilities within the complex network of systems to gain unauthorized access to satellite data, intercept or manipulate signals, and disrupt communications. The consequences of a successful cyberattack on satellites could be severe, affecting not just national security but also critical industries such as Telecommunications, Navigation, and Weather forecasting.

Ransomware attacks on organizations within the Aerospace and SATCOM sectors can lead to delays or cancellation of space programs. At the same time, data leaks can provide attackers with a strategic advantage within space programs. It is essential to ensure that all organizations within the supply chain implement robust cybersecurity measures to mitigate these risks.

There is a high risk of cyberattacks on every vector within this industry, varying from satellite modems, receivers, antennas, software, and other IT/IOT components. The most common cyber threats to the space segment, ground segment, and space-link communication segment include data corruption/modification, ground system loss, interception of data, jamming, denial of service, masquerade (spoofing), replay, software threats, and unauthorized access.

Cyble Research Intelligence Labs (CRIL) observed that attacks on the space sector have lately been increasing due to recent geopolitical events. Ransomware attacks on organizations dealing directly and indirectly with Space and SATCOM Industries are ramping up.

Also, with the involvement of Hacktivist groups such as GhostSec, which were recently seen targeting Satellite Receivers. CRIL researchers believe that it has become crucial for Public and Private entities to collaborate to safeguard threats to the space Industry, as successful cyberattacks within this sector have a devastating effect on other Critical Infrastructure Sectors.

Hacktivists group targeting Satcom Receivers and Modems

Global Navigation Satellite System (GNSS)

Global Navigation Satellite System receivers are devices that receive and process signals from a constellation of satellites orbiting the Earth to determine the receiver’s position, velocity, and time.

GNSS receivers are used in a wide range of applications, including navigation for ground, sea, and air transportation, surveying and mapping, search and rescue operations, and scientific research. There are many users, including Military and Government organizations, commercial businesses, and individuals. 

GNSS receivers provide accurate timing and location information to satellite ground stations, which are used to control and monitor satellite systems. GNSS receivers are also used in satellite tracking and telemetry systems to accurately determine the position and movement of satellites in orbit.

On March 14, 2023. A member of the Hacktivist Group – GhostSec (an affiliate of the Anonymous group) shared Tweet associated with their attack on Global Navigation Satellite System (GNSS) Receiver.

Multiple Panels of the GNSS receiver were shared as proof of their access to the GNSS receiver. In one of the screenshots shared, the – “Location of Receiver seems to be near The State Kremlin Palace”.

If GNSS receivers are corrupted or manipulated by unauthorized personnel, several potential consequences could occur, including:

• Loss of Positioning, Navigation, and Timing (PNT) Accuracy: GNSS receivers are critical for providing accurate PNT information, including location, speed, and time. Corrupting or manipulating the receiver’s signals could lead to a loss of accuracy or even a complete loss of PNT information, which could have severe consequences for Critical Infrastructure, transportation systems, and other applications that rely on GNSS data.
• Disruption of Communications: GNSS signals are also used for timing and synchronization of communications systems, such as cell towers, satellite communication networks, and internet infrastructure. If GNSS signals are corrupted, this could lead to communication disruptions, delays, and potential failures.
• Safety Risks: GNSS is used in several safety-critical applications, including aviation, maritime, and transportation. If GNSS signals are manipulated, this could lead to safety risks, such as incorrect aircraft navigation or collision avoidance systems.
• Financial Losses: Several industries rely on GNSS for their operations, including agriculture, mining, and surveying. If GNSS signals are corrupted, this could lead to financial losses due to incorrect measurements, inaccurate mapping, and navigation errors.
• Cybersecurity Risks: Manipulating GNSS signals could be used as a tool for cyberattacks, including spoofing, where a malicious actor could provide false location information to a target system or device, leading to potential security breaches and data theft.

CRIL researchers believe that the GNSS receivers that are targeted by GhostSec might be “CTI operation and maintenance management system software, a product of Shanghai Huace Navigation Technology.”, which is a high-precision navigation technology that combines multiple satellite constellations including GPS, GLONASS, BeiDou, and Galileo to provide accurate and reliable positioning information for a wide range of applications. As per the news articles published by the vendor, they seem to have a presence in Russia.

Internet Exposure of GNSS Receivers

As the hacktivist group targeted GNSS receivers, researchers at Cyble investigated the internet-exposed GNSS receivers to understand their attack surface. During the investigation, we found that multiple GNSS receivers are provided by various vendors, exposed over the internet. The exposure details of 5 major GNSS receivers used globally are provided below.

GNSS-1 – Has a total of 3,641 Internet-Exposed instances.

GNSS-2 – Has a total of 4,864 Internet-Exposed instances.

GNSS-3 – Has a total of 899 Internet-Exposed instances.

GNSS-4 – Has a total of 343 Internet-Exposed instances.

GNSS-5 – Has a total of 28 Internet-Exposed Instances.

During our investigation, we observed multiple vulnerabilities existing for internet-exposed GNSS systems along with public exploits. The screenshot below shows various GNSS systems observed during the Investigation.

 

Satellite Modems

Satellite modems are wireless communication devices that convert digital data into radio frequency signals and establish satellite links between remote locations. They differ from traditional modems as they provide more robust error correction mechanisms and are ideal for hard-to-reach locations.

Critical Infrastructure sectors such as Government, Military, Telecommunications, Energy, Utilities, and Transportation rely on satellite modems. Satellite modems are crucial in transmitting telemetry data and controlling spacecraft operations in the Aerospace industry. They can also be used for remote sensing and earth observation applications.

If an attacker corrupts satellite modems, it can have severe consequences. The transmitted data’s confidentiality, integrity, and availability can be compromised, leading to security breaches, espionage, or sabotage.

The attacker may gain access to sensitive data, such as Government or Military secrets, and cause widespread damage to Critical Infrastructure sectors such as energy and transportation, resulting in service disruptions or even accidents. Moreover, businesses that rely on satellite links may suffer revenue losses, damaging their reputation and prospects. Ultimately, such malicious attacks can severely threaten national security and public safety.

Operation Cataclysm, which was conducted by Team One Fist, indicates the severity of the attack on satellite modems. In the attacks conducted on MegaFon, the hacktivist group claimed to have created custom programs to hinder the predefined operations of the router. At the same time, they deleted the critical configurations on these modems. Multiple screenshots & videos were shared by the group, which show modems going into a fault state.

The figure below shows the claims made by the hacktivist group.

Internet Exposure of Satellite Modems

The hacktivist group targeted “Newtec Satellite Modems” in Operation Cataclysm. Newtec satellite modems are used in various industries that require reliable and high-speed satellite communication links, including telecommunications, broadcasting, military and defense, maritime, oil and gas, aviation, and emergency services. One of the online scanners shows that there are 296 Internet-Exposed Newtec Satellite modems, as shown in the figure below.

If authorized personnel operating these modems have not changed the default credentials, there is a possibility that hacktivist groups will continue to get into these systems and perform similar operations to Team One Fist.

Given below is a screenshot from one of these exposed satellite modems.

Growing Ransomware Threats to the Space Industry

Ransomware attacks on industries dealing in the space sector can have devastating consequences, particularly on the supply chain. Companies that supply, distribute, manufacture, or provide services related to satellite communication components and software are potential targets for ransomware attacks. If these companies are successfully attacked, it could lead to a crippling effect on the entire industry and cause significant damage to national security.

Lockbit 3.0 – Prevailing Threat

On 21^st March 2023, Lockbit published details of their victim, “Karnataka State Remote Sensing Application Center”, which acts as the nodal agency in the state for all Remote Sensing and GIS activities. The victim organizations interact and collaborate with the Indian Space Research Organization, Dept. of Space, Govt. of India, and other National and International Organizations in the field of remote sensing and allied disciplines.

Figure 12 shows the claim made by the TA.

On 13^th March 2023, Lockbit published their new Ransomware victim, “Maximum Industries”, a company that specializes in the fabrication of rocket parts. The group claimed the compromise data included 3,000 engineering drawings certified by SpaceX, a manufacturer of spacecraft and SATCOM technology.

Given below is the screenshot for the same claim.

On 10^th March 2023, Lockbit published details of ransomware victim “Micos Engineering GmbH”, an independent system engineering SME that focuses on optical instrumentation, satellite-based payloads, remote sensing units, and other small satellite solutions.

On 28^th March 2023, Lockbit targeted “Hong Kong Engineering Company Limited”, which is a major player in the aviation industry and has been providing satellite communication systems for commercial aircraft. Given below is the screenshot for the same claim.

Apart from Lockbit’s attack on Maximum Industries earlier this year, DNV ShipManager servers were also targeted by ransomware attacks. According to the official statement of DNV, “Following the cyber-attack, the ShipManager server environment had to be rebuilt”.

Hence, growing ransomware attacks on organizations dealing in the Space and SATCOM supply chain highlight ransomware groups’ interest in disrupting this sector.

Conclusion

Threats towards Satellite Communication Networks have been increasing gradually since previous years. The cyber-attack against Viasat’s KA-SAT network partially interrupted KA-SAT’s consumer-oriented satellite broadband service and rendered 5,800 Enercon wind turbines in Germany. This highlights that cyber attacks on components within the SATCOM industry can have a disastrous effect and weaken National Critical Infrastructure operations.

CISA and FBI also released Cybersecurity Advisory emphasizing mitigation strategies to be followed by organizations dealing in this industry on May 10, 2022. The trajectory of past events, along with recent Ransomware attacks and Hacktivist attacks on the Satcom and Space Industry, should be considered by concerned authorities as attacks on this sector have the caliber to disrupt other key national services.

As multiple entities work together within the SATCOM and Aerospace industries, ranging from manufacturers, vendors, suppliers, distributors, etc., the attack surface for Threat Actors is exponentially big.

Cyble Research and Intelligence Labs believe that in the near future, TAs will actively exploit public-facing SATCOM devices and launch ransomware attacks on organizations that support the SATCOM Industry for financial and political motives.

Recommendations:

1. Conduct a thorough risk assessment of the SATCOM environment to identify vulnerabilities and potential threats.
2. Implement strong access controls to restrict unauthorized access to the SATCOM system.
3. Use encryption technologies to protect sensitive data transmitted over the SATCOM network.
4. Implement firewalls and intrusion detection systems to prevent unauthorized access to the SATCOM system.
5. Regularly update and patch software and firmware on SATCOM devices to address known vulnerabilities.
6. Use two-factor authentication for user login to enhance security.
7. Limit the number of people who have access to SATCOM equipment and systems.
8. Implement physical security measures to prevent unauthorized access to SATCOM equipment and facilities.
9. Use secure configuration settings for all SATCOM equipment and devices.
10. Conduct regular security training for all personnel accessing SATCOM equipment and systems.
11. Implement a comprehensive incident response plan to handle security breaches and other emergencies.
12. Conduct regular reviews and update security policies and procedures to ensure they protect the SATCOM environment effectively.

Disclaimer:

All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.

This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.

It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.