The Great Euro Sat Hack Should Be A Warning To Us All

Military officials and civilian security researchers have been warning us for years: cyberattacks are becoming a very real part of modern warfare. Far from being limited to military targets, cyberattacks can take out everything from vital public infrastructure to commercial and industrial operations, too.

In the early hours of February 24, as the Russian invasion force began raining missiles on Ukrainian cities, another attack was in progress in the digital realm. Suddenly, satellite terminals across Europe were going offline, with many suffering permanent damage from the attack.

Details remain hazy, but researchers and military analysts have pieced together a picture of what happened that night. The Great Euro Sat Hack prove to be the latest example of how vulnerable our digital infrastructure can be in wartime.

A Network Is Only As Secure As Its Weakest Point

The KA-SAT satellite operated owned by US company Viasat was launched in 2010. It’s charged with providing broadband satellite internet across Europe, with some limited coverage also extending to parts of the Middle East. Customers of the service include residential users across Europe, and many industrial systems as well.

5,800 wind turbines lost their satellite data connections during the attack, compromising remote monitoring of the hardware. Service was restored through a combination of replacing affected satellite modems and installing supplementary cellular/LTE data links. Credit: ENERCON press site

On February 24, when Russian forces began their full-scale invasion of Ukraine, the KA-SAT system similarly came under attack. Thousands of terminals suddenly went offline in the early hours of the morning. Far from being limited to just Ukraine, users in Greece, Poland, Italy, Hungary, and Germany were all affected.

Notably, 5,800 wind turbines in Germany had their administration systems go dark as the attack raged. When the satellite links went down, monitoring the wind turbines via SCADA systems was no longer possible. Thankfully, grid stability was not affected according to operator ENERCON, as grid operators maintained control over the wind power input to the grid via other methods.

Early reports speculated that a simple distributed denial of service (DDoS) attack may have been to blame. This type of attack, where floods of traffic are used to overwhelm a network or server, is simplistic and short-lived.

However, it quickly became apparent that a much more serious attack had taken place. Researchers analyzing the fallout noted that many terminals had been permanently taken offline, and were no longer operable. Information slowly trickled out from various sources, indicating that the satellite itself had not been tampered with, nor damaged or physically attacked in any way. Thus, the issue likely laid in the ground segment of the KA-SAT network.

Official statements noted the consumer-grade Surfbeam2 modems were a primary target of the attack. This raises questions around how the attack then came to impact German energy infrastructure, which would be expected to use a more industrial-spec solution. Credit: Viasat

Just over a month after the attack, Viasat released a statement explaining the scale and nature of the attack. According to the company’s report, action began at 03:02 AM UTC with a denial of service attack propagating from users of using SurfBeam 2 and Surfbeam2+ modems on a consumer-orientated section of the KA-SAT network. These modems located in Ukraine were generating large volumes of malicious traffic and were preventing legitimate users from remaining online. Viasat’s technical teams worked to block these malicious modems from the network, with more popping up as the team took them down.

During this period, modems were gradually dropping offline on this network partition. This accelerated at 4:15 AM, which saw a mass exodus of modems connecting to the KA-SAT network across Europe, all on the same consumer network partition. The missing modems were gone for good, with none attempting reconnection to the satellite network.

Later analysis showed that a breach had occurred in the management systems of the KA-SAT network, via a “misconfiguration in a VPN appliance.” The attackers accessed the management network and used it to issue commands to residential modems on the network, corrupting the flash memory onboard and rendering them inoperable.

In the aftermath, security researcher Ruben Santamarta was able to lay his hands on an affected Surfbeam2 modem, as well as another clean device untouched by the attack. Dumping the flash memory from both modems was revealing. The compromised modem had heavily corrupted flash memory compared to the original, which left the modems in a non-working state. The damage was so complete in some cases that affected modems would not even display status lights when turned on. 30,000 replacement modems were ultimately shipped to customers to get them back online in the weeks following the attack.

There are still some questions to be answered regarding the attack. It’s unclear precisely how attackers entered the management segment of the KA-SAT network, and the company is reticent to publicise what happened. The early DDOS attack followed by the bricking of modems also hints at a well-planned, multi-stage attack, suggesting the hack was planned well in advance. There’s also ancilliary questions, such as why German electricity infrastructure was affected by an attack supposedly limited to residential modems and a consumer-oriented network segment.

Those specifics are of interest to security researchers and those involved at the companies in question. More broadly, though, it shows that cyberattacks can and will be used against real infrastructure in times of war. Furthermore, the effects won’t necessarily be limited to targeted areas or the military. It’s all too easy for such an attack to have wide-ranging effects downstream when our networks span national borders.

Overall, it’s a chilling reminder of the vulnerabilities inherent in much of our infrastructure. This time it was satellite internet, other times it might be the water supply or the health system. The stakes are high in all of these cases, so there’s plenty of reason to invest in shoring up security wherever possible.

46 thoughts on “The Great Euro Sat Hack Should Be A Warning To Us All

    1. “0,000 replacement modems were ultimately shipped to customers to get them back online in the weeks following the attack.” I’m surprised this hasn’t been fixed in the article yet!

  1. State-sponsored cyberwarfare has been a “thing” for some time now.

    The USA is behind (or pretends to be behind) in this. Other countries have been funding this sort of thing for a while. And in some cases, they don’t even need outside funds after a while (they let the hackers “eat some of what they kill” on extortion, credit card fraud, etc.)

    1. The intelligence organisations of many nations have also been releasing backdoored “warez” onto the internet for many decades. Every obvious way of compromising private, commercial and state security has been exploited over the years, because that is what those guys are employed to do. Everyone is doing it and has been doing so for as long as they have had the capability to do so. Assume you are already “owned” until you can prove otherwise. And yes there has never been a clear cut boundary between the state sponsored operations and the activities of the criminal underworld, even back in the days when Putin et al were running hackers out of East Germany. Those freelancers who were in part paid in illegal drugs mostly ended up dead once they were no longer useful.

        1. Sortof, as if you have enough technical understanding, or trust the folks that developed the configuration you use it makes it very much harder to have hostile actions be successful – FOSS devs tend to fix security problems very damn promptly, they also get many more eyes on the code so malicious deliberate backdoor are very rare etc…

          But also no, as all it takes is random chance that your IP was targeted while a flaw is still unpatched/unknown, or that dodgy file, poisoned JS website visit (etc) to invite the scumbags into your network, OpenWRT can’t protect against that its just delivered the data where it was ‘supposed’ to be, then its up to the security on the computer using the file, not auto-executing, being patched so the malformed file that delivers the functional payload doesn’t actually work, etc.

          Also actually using OpenWRT as your modem requires some co-operation with the ISP, using it as the router at least ‘protects’ everything behind the modem, but that ISP trash tier wifi-router/modem unit you have to use to have a connection isn’t any better off..

      1. Am I flying an American or British flag? Then yes. But this is not a question for me I don’t have that money. If you buy it cheap it’s probably worth breaking for parts, then scrap.

        1. Not a lot of stuff in a luxury yacht that recycles well or is worth much as scrap – used luxury interior fittings are a niche market even if they can be economically removed, maybe the engines & propulsion systems & controls are worth a bit to someone, but after that you’ve got a huge floating pile of wood, plastic, GRP, glass, and assorted other stuff that is less than useless as it’s mostly hard or impossible to recycle.

      2. Looking at the effectiveness of the Russian navy (and armed forces in general) in their current conflict I’d not be too worried unless you actually wanted to sail to Russia, they would probably break down or blow up before they could catch you…

        Doesn’t do you any good if you do happen to be near them though, nasty bunch of orcs…

  2. So what is the solution to prevent devices receiving totally valid updates from their service providers that have been fully owned by a foreign government.

    Signing keys kept in a physical vault, and only removed and used to sign new firmware images as valid on air gaped machines, before mass distribution ?

    1. Russia: “if you attack targets in Russia we’ll take it as escalation”
      Also Russia: attacks German energy infrastructure.

      I hope we’re just more subtle doing this stuff.

    2. ….. all of us on Hackerday should get together and send our own comms satellites up into space and build our own modems with proper systems for swapping out broken flash chips or whatever. We’d also have a black ops team dedicated to constantly trying to break the system who report back to our chief of operations every now and again.

  3. “The Great Euro Sat Hack prove to be the latest example of how vulnerable our digital infrastructure can be in wartime.”

    And peace. No surprises when it’s mostly built upon “by the lowest bidder”.

    “The compromised modem had heavily corrupted flash memory compared to the original, which left the modems in a non-working state. ”

    A lesson learned about having a backup that can be manually switched in once the all clear has been sounded.

    1. They should have at least a bootloader and flasher in a permanent EPROM or hardware write protected flash. Push a restore button on the board then the power button. Boots and nukes the flash and RAM then writes the loader from ROM to flash. Then it’s clean and ready to auto-flash the latest image from USB.

      The whole mess begs the question why was all this so insecure? Viasat shareholders should be asking why they didn’t have extensive pentesting and regular security audits to find vulnerabilities like this.

      1. The same rubbish security is true of a great many things – anything with OTA automatic updates is usually vulnerable to such things, though some things do A-B images or have a recovery system as you describe, its not universal.

        But on the whole OTA updates probably saves more than it costs when shit like this happens (assuming they actually properly check the real updates before pushing them), as best will in the world anything modern is broken security wise when new, and users actually checking and doing the security updates for their headless systems…

    1. The U.S. government keeps telling us they need to secure our electrical infrastructure, to keep us safe from cyber attacks. I feel that if the U.S. government does put the electrical infrastructure under its complete control, it will make it easier for a “bad actor” to gain full access (through government incompetence).

      1. and they completely phased out all local radio meters. technically one could push out malware that simply shuts off all the meters at the same time because they are all now operating on cell networks, and can send data to the next closest meter. seems stupid if you ask me.

    1. What?
      I have to walk downstairs, turn off my router, and hold down some button for 10 seconds, while turning it back on? Good grief!

  4. I was working at an Aerospace company making satellite communications systems for some years.

    During this work, I had to read several standards/protocols for systems communications and found multiple security holes in the standards/protocols allowing an attacker to take over satellites and/or communications systems for e.g. airplanes/remote sites. Functionality was the focus of the documents, not security.

    The same was the focus of the development work. Management was more focused on features (capabilities) of the software, not the security side of the systems. Security is not a sexy topic for management or marketing.

    In all companies, I’ve worked for, features (NOT security) has been the focus. Every single time an Engineer raised the flag, that a product could be hacked, the Engineer was told something like “It’s illegal to hack it! So don’t worry about it!”

    I ported UBoot to a new platform adding a feature to our 1st stage bootloader verifying the 2nd stage bootloader integrity and letting UBoot verifying the main SW package integrity (both current and “safe” versions). However, I got told multiple times, that this was not necessary. Instead, we had to focus on the fact, that a hacker could bring a power drill on the airplane, drill a hole in the cabinet (in the electronics bay of a commercial or military aircraft), drill a hole (specific location and depth), insert a probe (another specialized piece of equipment) and inject signals onto the board itself.

    Every single test, we did, was focused on functionality, not security. Since, all end tests would require e.g. an Airbus 320 with a full crew, 7-9 engineers monitoring the new/updated system, ground staff and an 18 hours flight at each “hardware” change (“hardware” in this case is the physical hardware, bootloaders (1st and 2nd stage) and configuration – don’t get me started on that ), we limited ALL testing to mere software tests leaving all the low level stuff alone.

    All the talented developers got SO fed up with the company, that they left leaving the lesser talented developers behind. As one developer working on a new system allowing airplane to fly “wing tip to wing tip” said : “I’m staying, because I probably couldn’t get a job somewhere else”. When this system goes into production, I’m either moving underground or exchanging my car with a T14 Armata…

    1. Very interesting …. another good reason not to travel by aeroplane. I’m just hoping nobody can hack my ebike over the air (OTA) and cause me to drive into a lamp post.

        1. I agree.. I found a bug in a government website exposing names, ranks, units, home addresses on military personnel.. including Special Forces, Military Command and Intelligence personnel. Reported it.. solution: renamed the files.. not removing the contents..
          I don’t fear Russian hackers.. I fear the incompetence of my government..

      1. A better reason.. look into the quality issues of Boeing.. you’d be surprised..
        I’d rather go by boat for x hours risking sea sickness etc., than fly newer Boeing airplanes..

  5. I would like to see an example of the flash memory dump to see what the corruption looks like. How would this hypothetically happen, and would it brick the device, because you would think you could reflash the firmware or something? Would this be reproduceable on any consumer grade modem that you could gain admin access to?

    1. Of the malicious code overwrote the bootloader, the device is trashed unless you can physically connect a programming device.
      Think about a computer. Imagine the bios was deleted or overwritten with all 1Fs. There is nothing left to act as a bios on reboot. The computer would be trashed unless you could replace the bios rom or reprogram it in place with the proper hardware device. You’d have no standard way to recover it.
      There would be no software to support a reflash which is why you’d need to hardware program it.

  6. I’m not sure how to, protect infrastructure in space fro bad actors, but terrestrial, would be easily protected, if there’s is the will. Problem is maximized profits, often trumps everything. Pipelines, electrical transmission lines, etc, generally are in/on private or public right of ways. Disconnect critical from the global internet already. Install fiber, if needed, on those right of ways. Hell electric utilities have been using their current conductors, to carry data, for decades now. The for the Geeks to sharpen the tines, on their pitch forks, and show up on capital hill unannounced. ;).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.