GhostSec hackers target satellite receivers, as threats toward satellite communication networks gradually rise

Cyble Research Intelligence Labs (CRIL) identified the involvement of hacktivist groups – such as GhostSec – which were seen targeting satellite receivers. The observation comes as the team found that threats and attacks on the space sector have lately been increasing due to recent geopolitical events. Ransomware attacks on organizations dealing directly and indirectly with space and satellite communication (SATCOM) industries are ramping up.

“CRIL researchers believe that it has become crucial for public and private entities to collaborate to safeguard threats to the space industry, as successful cyberattacks within this sector have a devastating effect on other critical infrastructure sectors,” a recent blog post revealed.

GhostSec is the hacker group that earlier this year claimed that it has conducted a ‘first-ever’ ransomware attack against an RTU (remote terminal unit), a small device typically deployed across industrial control system (ICS) environments. The Anonymous group affiliate said that it executed GhostSec ransomware during its favorite operation ‘#OpRussia,’ and explained it ‘as only they can in support of #Ukraine.’ 

The escalating threats and attacks come as organizations and devices that operate within the space industry and satellite communication networks have become an increasingly important element of a nation’s critical infrastructure. The growing reliance on SATCOM has led to a recognition that any disruption or degradation of space services could have severe consequences for security and the economy, with cyber threats becoming one of the significant risks to the service utilized in this sector. 

Satellites rely heavily on computer systems and networks to function correctly. Hackers can exploit vulnerabilities within the complex network of systems to gain unauthorized access to satellite data, intercept or manipulate signals, and disrupt communications. 

Furthermore, ransomware attacks on organizations within the aerospace and SATCOM sectors can lead to delays or cancellation of space programs, the researchers point out. “At the same time, data leaks can provide attackers with a strategic advantage within space programs. It is essential to ensure that all organizations within the supply chain implement robust cybersecurity measures to mitigate these risks.”

“There is a high risk of cyberattacks on every vector within this industry, varying from satellite modems, receivers, antennas, software, and other IT/IOT components,” the post identified. “The most common cyber threats to the space segment, ground segment, and space-link communication segment include data corruption/modification, ground system loss, interception of data, jamming, denial of service, masquerade (spoofing), replay, software threats, and unauthorized access.”

The CRIL team said that on Mar. 14, 2023, a member of the Hacktivist Group – GhostSec (an affiliate of the Anonymous group) shared a Tweet associated with their attack on Global Navigation Satellite System (GNSS) Receiver. “Multiple Panels of the GNSS receiver were shared as proof of their access to the GNSS receiver. In one of the screenshots shared, the – ‘Location of Receiver seems to be near The State Kremlin Palace.’”

CRIL researchers believe that the GNSS receivers that are targeted by GhostSec might be ‘CTI operation and maintenance management system software, a product of Shanghai Huace Navigation Technology,’ which is a high-precision navigation technology that combines multiple satellite constellations including GPS, GLONASS, BeiDou, and Galileo to provide accurate and reliable positioning information for a wide range of applications. As per the news articles published by the vendor, they seem to have a presence in Russia.

The researchers said that if GNSS receivers are corrupted or manipulated by unauthorized personnel, several potential consequences could occur, including loss of Positioning, Navigation, and Timing (PNT) accuracy, disruption of communications, safety risks, financial losses, and cybersecurity risks. 

As the hacktivist group targeted GNSS receivers, researchers at Cyble investigated the internet-exposed GNSS receivers to understand their attack surface. During the investigation, we found that multiple GNSS receivers are provided by various vendors, exposed over the internet. 

The exposure details of five major GNSS receivers used globally include GNSS-1 has a total of 3,641 Internet-exposed instances with the U.S. recording 957 instances, Japan clocking in at 719 instances, and Canada standing at 275 instances. GNSS-2 has a total of 4,864 Internet-exposed instances with Australia recording 816 instances, Greece coming in second with 766 instances, and Italy recording 743 instances. GNSS-3 has a total of 899 Internet-exposed instances with Russia recording 201 instances, Poland noted 145 instances and the U.S. recording 43 instances.

Moving to GNSS-4, the Cyble researchers said that it has a total of 343 Internet-exposed instances. Of these, South Korea recorded 53 instances, the U.S. recorded 44 instances, and France recorded 41 instances. The last one, GNSS-5 has a total of 28 Internet-exposed Instances with China accounting for 15 instances, and Thailand and the U.S. recording six instances each. 

The researchers also revealed that during its investigation, “we observed multiple vulnerabilities existing for internet-exposed GNSS systems along with public exploits.”

The CRIL team said that satellite modems are wireless communication devices that convert digital data into radio frequency signals and establish satellite links between remote locations. They differ from traditional modems as they provide more robust error correction mechanisms and are ideal for hard-to-reach locations.

“Critical infrastructure sectors such as government, military, telecommunications, energy, utilities, and transportation rely on satellite modems. Satellite modems are crucial in transmitting telemetry data and controlling spacecraft operations in the aerospace industry. They can also be used for remote sensing and earth observation applications,” the researchers pointed out. “If an attacker corrupts satellite modems, it can have severe consequences. The transmitted data’s confidentiality, integrity, and availability can be compromised, leading to security breaches, espionage, or sabotage.”

The team added that an attacker may gain access to sensitive data, such as government or military secrets, and cause widespread damage to critical infrastructure sectors, such as energy and transportation, resulting in service disruptions or even accidents. “Moreover, businesses that rely on satellite links may suffer revenue losses, damaging their reputation and prospects. Ultimately, such malicious attacks can severely threaten national security and public safety.”

The CRIL team also pointed to ‘Operation Cataclysm,’ which was conducted by Team One Fist, indicating the severity of the attack on satellite modems. “In the attacks conducted on MegaFon, the hacktivist group claimed to have created custom programs to hinder the predefined operations of the router. At the same time, they deleted the critical configurations on these modems. Multiple screenshots & videos were shared by the group, which show modems going into a fault state,” the post added.

The post also identified that the hacktivist group targeted ‘Newtec Satellite Modems’ in Operation Cataclysm. “Newtec satellite modems are used in various industries that require reliable and high-speed satellite communication links, including telecommunications, broadcasting, military and defense, maritime, oil and gas, aviation, and emergency services. One of the online scanners shows that there are 296 Internet-Exposed Newtec Satellite modems,” it added.

The researchers added that if authorized personnel operating these modems have not changed the default credentials, there is a possibility that hacktivist groups will continue to get into these systems and perform similar operations to Team One Fist.

The CRIL post also said that ransomware attacks on industries dealing in the space sector can have devastating consequences, particularly on the supply chain. 

“Companies that supply, distribute, manufacture, or provide services related to satellite communication components and software are potential targets for ransomware attacks. If these companies are successfully attacked, it could lead to a crippling effect on the entire industry and cause significant damage to national security.”

On Mar. 28, 2023, Lockbit targeted ‘Hong Kong Engineering Company Limited,’ which is a major player in the aviation industry and has been providing satellite communication systems for commercial aircraft, the Cyble post disclosed. 

“On 21^st March 2023, Lockbit published details of their victim, ‘Karnataka State Remote Sensing Application Center,’ which acts as the nodal agency in the state for all Remote Sensing and GIS activities,” the post revealed. “The victim organizations interact and collaborate with the Indian Space Research Organization, Dept. of Space, Govt. of India, and other National and International Organizations in the field of remote sensing and allied disciplines.”

It added that on 13^th March 2023, Lockbit published their new ransomware victim, ‘Maximum Industries,’ a company that specializes in the fabrication of rocket parts. “The group claimed the compromise data included 3,000 engineering drawings certified by SpaceX, a manufacturer of spacecraft and SATCOM technology.”

On Mar. 10, Lockbit published details of ransomware victim ‘Micos Engineering GmbH,’ an independent system engineering SME that focuses on optical instrumentation, satellite-based payloads, remote sensing units, and other small satellite solutions.

Apart from Lockbit’s attack on Maximum Industries earlier this year, DNV ShipManager servers were also targeted by ransomware attacks. According to the official statement of DNV, “Following the cyber-attack, the ShipManager server environment had to be rebuilt”. Hence, growing ransomware attacks on organizations dealing in the space and SATCOM supply chain highlight ransomware groups’ interest in disrupting this sector.

Evidently, threats towards satellite communication networks have been increasing gradually since previous years. The cyber-attack against Viasat’s KA-SAT network partially interrupted KA-SAT’s consumer-oriented satellite broadband service and rendered 5,800 Enercon wind turbines in Germany. This highlights that cyber attacks on components within the SATCOM industry can have a disastrous effect and weaken national critical infrastructure operations.

U.S. security agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), released last May a cybersecurity advisory emphasizing mitigation strategies to be followed by organizations dealing in this industry. The trajectory of past events, along with ransomware attacks and hacktivist attacks on the SATCOM and space industry, should be considered by concerned authorities as attacks on this sector have the caliber to disrupt other key national services.

Ahead of the release of the cybersecurity advisory, the agencies had in March last year called for strengthening the cybersecurity of national and international SATCOM networks, following concerns about possible threats to these networks. The agencies reveal that successful intrusions could create risk in SATCOM network providers’ customer environments.

The CRIL team believes that “in the near future, TAs will actively exploit public-facing SATCOM devices and launch ransomware attacks on organizations that support the SATCOM Industry for financial and political motives.”

Last week, the Space ISAC launched its Operational Watch Center and its initial operational capability. Supported by a dedicated team of ten in-person analysts with additional virtual support enabled by a secure cloud architecture, Space ISAC’s Watch Center represents a monumental step forward for the space community. Identifying the Operational Watch Center initiative as a crucial milestone for Space ISAC, the Center will help address the growing threats and vulnerabilities faced by this sector that now serves billions of people worldwide.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.