The domains of outer space and cyberspace are interconnected. So much data flows through the satellites. As a result, an attack on one domain can impact both space and cyberspace. Researchers at the Cybersecurity and Infrastructure Security Agency (CISA) said they discovered Russian hackers lurking within a U.S. satellite network. This raised concerns about Moscow’s intentions to infiltrate and disrupt the rapidly expanding space economy.
According to reports, the CISA researchers identified the Russian military group known as “Fancy Bear,” or APT28. It apparently involved a satellite communication provider with customers in United States’ critical infrastructure sectors.
“It is obvious that satellites are some of the prime targets for foreign adversaries as so much of our communications and reconnaissance relies on it,” suggested technology industry analyst Roger Entner of Recon Analytics.
No Paper Tiger
Fancy Bear, which also is known as the Tsar Team, Pawn Storm, and Sofacy Group, is thought to be a Russian cyber espionage group with ties to the Russian military intelligence agency or GRU. The British government, as well as multiple independent cybersecurity firms, believes it is sponsored by the Russian government.
The group is known to target government, military, aerospace and defense firms, media outlets, and security organizations, especially those in NATO-aligned states. Fancy Bear is also believed to be responsible for past cyber attacks on the German parliament, the Norwegian parliament, the White House and the Democratic National Committee (DNC).
The hackers’ code has been observed targeting conventional computers and mobile devices. They typically employ both phishing messaging and credential harvesting using spoofed websites.
Fancy Bear is a Russian State-sponsored threat actor. That means they operate typical criminal operations, think ‘for profit’ Ransomware and BEC (Business Email Compromise) type attacks,” said Steve Hahn, executive vice president at cybersecurity firm BullWall. “However, they also carry out Russian infrastructure, espionage, and PsyOps. They are famous for using zero-day exploits and are the group behind the DNC and Hillary Clinton private server attacks that have fueled the news cycles for the last six years.”
Hahn told ClearanceJobs that these were highly crafted spear phishing attacks.
“Twenty nine of 30 attempts failed; no one clicked on the link,” he continued. “It took just one of the 30 spearphishing emails to be successful to ignite the breach, which speaks to the difficulty of stopping these types of targeted attacks. You can’t rely on users or security layers to be 100% effective 100% of the time. When that one breaks through you need containment.”
The same applies to the rest of their attacks on infrastructure over the last few years.
“They research their target then scour LinkedIn to get insight into who they send the targeted email attack, or spear phishing, and the attack begins once the user clicks on the link or opens the document. They can fail 1,000 times. They only need to be successful once,” Hahn warned.
Space – the Latest Frontier
Space now seems to be the newest threat vector. In addition to the recent attack, another system belonging to U.S. telecom company Viasat, which provides Internet service in Europe, was targeted just prior to Russia’s invasion of Ukraine – and it resulted in disrupted Internet service in the embattled country.
Officials blamed that attack – one of the most significant digital assaults of the war to date – on Russian hackers, although it isn’t known if the attack actually involved Fancy Bear. It was so significant that the FBI and CISA had subsequently warned of other potential Russian infiltration of satellite systems.
“Satellite attacks are nothing new for Russian state sponsored actors,” warned David Maynor, senior director of Threat Intelligence at Cybrary.
“Anti-virus company Kaspersky revealed an APT named Turla was doing this in 2015,” Maynor told ClearanceJobs, adding that he has also worked on more cases that aren’t public where threat actors did something similar. “Using a satellite during a C2 can reduce the actor’s signature, especially if CTI groups aren’t aware of the capability.”
There are currently efforts underway to create technical cybersecurity standards for space technology at the Institute of Electrical and Electronics Engineers and the International Organization for Standardization. However, Maynor suggested that other steps could, and perhaps should be taken.
He is among those now in favor of designating space assets as critical infrastructure, much like an electrical grid. Should such a move occur, it might give state actors pause at least – even if hackers don’t abide by the same rules. Yet the significance of the convergence of cyberspace and outer space simply can’t be overstated.
“It’s hard to find people who are aware of how much their daily technology is based on, routed through, or directed by space based resources,” Maynor added.