How Earth Observation Companies Stay Ahead of the Cyber Threat

In a new era of warfare enabled by commercial products and services, owners and operators of earth observation constellations are finding themselves on the frontlines of novel conflicts, often fought with technology rather than weapons and deliberately kept below the level of armed combat.

Earth Observation (EO) satellites in Low Earth Orbit (LEO) have experienced interference with their radio frequency, or RF, communications as they pass over conflict zones on Earth below, multiple industry sources say.

Capella Space has seen “RF interference with GPS and with our imaging data,” CEO Frank Backes tells Via Satellite. The company operates a constellation of LEO satellites employing cutting-edge radar imaging technology, which uses radio frequency waves to take detailed three-dimensional images of the ground in all weather and even at night.

The jamming was concentrated in three areas of the globe, Backes says: Around Russia’s borders with Ukraine and its European neighbors; over the Middle East; and above areas of conflict in the South China Sea.

EO operator Maxar Intelligence also confirmed the company has experienced instances of RF interference, though their systems haven’t been impacted operationally. Maxar Chief Information Security Officer (CISO) Norm Laudermilch tells Via Satellite that such RF attacks were part of a suite of “very targeted and very advanced threats against our space [assets], remote ground systems” and other infrastructure that the company’s security team regularly encounters.

Commercial EO imagery was used by the U.S. government to expose Russia’s preparations for its 2022 invasion of Ukraine, and to reveal how its troops committed war crimes in Bucha. In the Middle East, commercial EO imagery has been used to document Israeli strikes on hospitals and other civilian infrastructure in Gaza.

Those high-profile use cases have put EO operators on the front lines, and they’ve been threatened as a result. Konstantin Vorontsov, deputy director of the Russian Foreign Ministry’s nonproliferation and arms control office, said in a speech at the United Nations after the 2022 invasion that the use of commercial satellites by combatant nations is “an extremely dangerous trend,” and did “in fact constitute indirect participation in military conflicts” on the part of satellite operators.

Vorontsov warned that dual-use or “quasi-civilian” infrastructure could be “a legitimate target” for military strikes.

That was a critical moment for the satellite industry, Backes recalls.

“We support the national security of many countries. Not just Capella, but most commercial Earth observation satellites and communication satellites are dual use,” he says. “So that was a direct threat against the entire commercial space sector. And that threat meant we had to come together as a sector, because we had nation-states that might be targeting commercial companies.”

Information Sharing on the Front Lines

LEO operators were already being hit with GPS jamming above those conflict areas, Backes says. But he characterized that as intentional, but not directed at satellite operators in particular. “GPS is being jammed as a counter-UAV measure, for example. But because it’s RF, it transmits up into LEO and it impacts satellites there that use GPS to determine their location,” he explains.

Backes says other operators had experienced the RF attacks as well and reported them through the Space Information Sharing and Analysis Center, Space ISAC, an industry group he helped set up in 2019 while an executive at Kratos, which shares anonymized data about cyberattacks and other hazards to the space sector.

The Space ISAC recently reached 100 corporate and institutional members and partnerships with space and military agencies in the U.S. and a half-dozen allied nations. Backes still sits on the organization’s board. The Space ISAC stood up a 24-hour watch center last year, to provide real-time monitoring of cyberattacks and other threats.

But the ISAC, a non-profit organization, doesn’t attribute the threats it reports on. “People can certainly draw their own conclusions about who might be responsible for the jamming,” Backes says, “but we don’t see it as our job to attribute.”

Information-sharing is a key concept in cybersecurity, explains Maxar CISO Laudermilch, because attackers often reuse malware and command-and-control infrastructure to attack many different target companies, so quickly sharing technical details can help other potential victims block attacks before they happen.

“Intel sharing is in our DNA at Maxar,” says Laudermilch, adding that, in addition to the Space ISAC, Maxar provides cyber threat briefings to intelligence partners and the three-letter agencies on a weekly basis. “They are immediately turning around and re-sharing what we provide with our name on it and everything,” he says.

Maxar, unlike the ISAC, wasn’t shy about attributing attacks to nation-state actors when they had the technical means to do so. “We see constantly growing and constantly changing attacks from our big four adversaries: Russia, China, Iran and North Korea,” Laudermilch says.

This year, in the wake of the RF interference attacks, Space ISAC launched an affinity group for LEO owners and operators, bringing together Capella, Maxar and other members with satcom and EO LEO constellations. Starlink is not a member of Space ISAC and did not respond to an email asking whether its satellites had encountered RF interference attacks.

Space ISAC operates on an “all-hazards” basis, explains Executive Director Erin Miller, sending its members alerts about space weather events like solar flares and other natural phenomena which might impact their operations; as well as new cyberattacks and other technological threats, like the potential sabotage of undersea fiber optic cables which carry internet traffic and help connect remote ground stations receiving satellite signals to the global network.

“We're looking at cyberattacks against the ground segment that would be treated as typical cybersecurity attacks against terrestrial infrastructure, but we're also looking at undersea cables and how that affects the space industry and those ground station providers,” Miller says.

Like other enterprises, EO satellite operators have moved their IT networks to the cloud, meaning that parts of their infrastructure are basically indistinguishable from any other similar sized company, while other parts were very different, she says.

“We also look at the link segment [connecting the satellite to the ground station] and any type of interference with that, any type of spoofing or jamming, and then attacks against the spacecraft itself,” she says.

That last category is new, or newly expanded, with the advent of software-defined satellites. Traditionally, once a satellite was launched, there was no way to change or update its programming or functionality. A new generation of satellites already on orbit can get software updates over the air.

But these new capabilities bring with them an expanded attack surface — more ways for hackers to get access.

STIX in Space

To standardize reporting of these novel threats, Miller says, Space ISAC is working with the Organization for the Advancement of Structured Information Standards, or OASIS, a leading global tech standards organization to develop a universal, machine readable format for threat reporting in the space sector.

OASIS manages the STIX (Structured Threat Information eXpression) standard — a template which ISACs and other cybersecurity information sharing organizations can use to provide cyber threat reporting in a form that can be automatically ingested by cyber defense software. STIX eliminates the need for human operators to cut and paste or retype technical indicators of attack from threat intel warnings into firewall rules or other defensive measures.

OASIS’ Space Automated Threat Intelligence Sharing Technical Committee, or SATIS-TC, is working on a special extension for STIX specifically designed for all-hazards reporting in the space sector.

In order to enable machine-ingestible intelligence, parameters must be set and agreed upon by the community, Miller explains. An example of a parameter like this is what defines a maneuver outside of the normal pattern of life. “Space-ISAC is working on that so that we can have an agreed threshold where everyone understands that’s when you have to report,” she says.

The STIX template, and the STIX space extension, also ensures all reporting data is standardized, making it more meaningful for identifying historical patterns or trends, Miller says.

But to enable proactive defense, intelligence has to get beyond technical indicators of compromise such as those shared via STIX, argues Laudermilch. He says that the intelligence operation at Maxar, using proprietary search tools and access to dark web forums, Telegram channels and Discord chat rooms used by cybercriminals, was regularly able to block cybercrime operations before they had even begun.

“While I can't give you actual examples from our investigations, I can tell you that on a weekly basis, we hear threat actors talk about harvesting Maxar credentials or exploiting a weakness in Maxar systems, and we are able to react before those credentials are stolen and before those vulnerabilities can be exploited,” Laudermilch says.

“That is something we cannot get from commercial threat intelligence companies,” he adds.

The company had also developed boutique tools to do advanced cyber threat detection, plowing through myriad data sources looking for patterns or anomalies in network and other traffic, he says.

“We're using these standard tools that everybody talks about, endpoint security, perimeter security, zero trust tools; and we are aggregating all of the intelligence that we get from those tools, along with all the intelligence that we get from our spacecraft, like telemetry data, into one place so that we can do advanced detection with our own tools,” Laudermilch explains.

The Threat of Altered Images

Looking at the EO sector as a whole, the proliferation of commercial imagery providers means that jamming or blocking a single provider is of limited use to an adversary, points out Greg Falco, an assistant professor at the Sibley School of Mechanical and Aerospace Engineering at Cornell University.

“This information is so ubiquitous — I can go out on the open market right now and purchase any EO imagery I need from a variety of players. So, if you're trying to break that system, blocking one provider or one bird doesn't help because someone else is out there doing it,” says Falco, who does research for DARPA and is considered a leading expert in the fast-growing field of space cybersecurity.

A more attractive option for a geopolitical adversary was to interfere with imagery or analysis further downstream, to create disinformation objects that could be used in an information or influence operation. “It's much more valuable for a threat actor to try and bastardize the information after it’s been collected,” he says.

As commercial use cases for EO imagery proliferate, Falco says, financially motivated cybercriminals might get in on the act, too.

It’s not hard to figure out how a picture of a tank where there was no tank could be used in an information operation, to try to spread disinformation, Falco says. Such downstream attacks could try to alter the image, but changing the analysis would be more productive.

“You can try to change the image, essentially superimpose new features onto an existing image,” he says. “The other opportunity is to break the analysis algorithms that are going into these systems and interpreting the images for the customer.”

These kind of sophisticated attacks are still theoretical, as far as we know, Falco says, but his research for DARPA aims to build systems that would be resilient to such attacks, by using encryption to ensure the integrity of the data. VS

Shaun Waterman is an award-winning journalist who writes about cybersecurity and emerging technology threats