Trawling Hacker Forums Uncovers Crucial Information on Space Cyber Attacks

Following the Viasat hack, which took place a few hours prior to the invasion of Ukraine and impacted both the Ukrainian Armed Forces as well as thousands of customers across Europe, the space community became increasingly aware of cyber threats. While the Viasat hack garnered media attention, the subsequent wave of attacks that followed slipped largely under the radar.

As a senior cyber defense researcher, I recently published a study with the Center for Security Studies at Swiss university ETH Zurich, based on publicly available data collected by crawling through hacker groups on the messaging app Telegram. The following are takeaways from that study, which identified 124 cyberattacks against the space sector for motives related to the war in Ukraine.

Aftermath of the Attack

Out of 124 identified cyber operations against the space sector, 57 different entities were targeted, including Starlink, NASA, Lockheed Martin, Boeing, French space agency CNES, European Space Agency (ESA), Maxar Intelligence, National Oceanic and Atmospheric Administration (NOAA), Leonardo, Avio, the Swedish National Space Agency, SES, and others.

Overall, 61 percent of operations targeted space companies, while 32 percent targeted space agencies and 3 percent were directed at research institutes. This is not surprising considering the widespread use of commercial space systems and services in the conflict.

Although Ukraine does not have sovereign satellites, it still counts several aerospace organizations, which were also targeted by cyberattacks, including JSC Kiev Radar Plant, Ukrkosmos, Zavod Rapid, the Ukrainian State Centre of Radio Frequencies (UCRF), Arsenal, etc. In addition, several cyber operations targeted Ukrainian terrestrial systems such as soldiers’ mobile phones or tablets in order to retrieve GPS coordinates or information about Starlink.

Ukrainian Resistance in Space and Cyberspace

The study found a balanced ratio of cyber operations against the space sector between pro-Russian attacks (52 percent) and pro-Ukrainian attacks (48 percent). Pro-Russian attacks also targeted the Western and Ukrainian space sector, including 23 percent against U.S space entities, 13 percent against Ukrainian space entities, and 16 percent against the European space sector.

After the Viasat hack, Ukrainian hackers targeted the Russian space sector, in particular Russia’s space agency Roscosmos, which was seen as a direct contributor to the Russian war effort. 15 operations were targeted at Roscosmos, most of which took place between February 2022 and July 2022. During this period, Roscosmos was under the presidency of Dimitry Rogozin, who was publicly reacting to cyberattacks and interacting with hackers online. Rogozin’s polarizing posture likely incentivized threat actors to continue attacking Roscosmos as it generated a lot of media attention. Once Rogozin was replaced by then Prime Minister Yuri Borisov, Roscosmos shifted its communication strategy and stopped acknowledging attacks.

Other pro-Ukrainian operations targeted aerospace and defense company Rostec, the Russian Academy of Science’s Institute for Space Research, RSC Energia, Gazprom Space Systems, Reshetnev, Glonass, etc.

Demystifying Cyberattacks Against the Space Sector

It is important to highlight that most operations that took place after the Viasat hack are nothing like this initial attack. Distributed Denial of Service (DDoS) attacks made up 65 percent of the attacks, while 11 percent were intrusions, and 9 percent were hack and leak operations. Wiper malware such as the one deployed during the Viasat hack is not a common type of attack, and no other operation of that type was identified. As a result, most operations against the space sector were unsophisticated attacks with temporary and recoverable consequences.

Identified operations were largely conducted independently from operations on the battlefield. Based on public data, no cyberattack on a space system has been conducted as part of a truly joint operation on land. Nonetheless, many identified operations were linked to events in the conflict. For instance, Iceye was targeted after it announced the provision of satellite images to Ukraine. CNES was also targeted after the French government announced the delivery of weapons to Ukraine. The Swedish Space Agency was impacted after hosting the Nordic-Ukraine Summit. Yet, these targets were often random as part of larger campaigns against Western countries.

In a similar fashion, aerospace and defense companies are often targeted because they manufacture defense equipment but hackers are sometimes surprised to find information about satellites and space exploration. This was the case in pro-Russian group Killnet DDos attack against Lockheed Martin.

Satellites in Orbit Not Direct Targets

When discussing cyber threats to the space sector, the conversation often centers on attacks targeting satellites in orbit. This focus overlooks the reality of the threat landscape.

In fact, no identified cyber operation targeted the satellite in orbit. It is likely that threat actors attempted to do so but no successful operation was publicly disclosed so far.

The user interface is most often targeted — 76 percent of cyberattacks targeted the user interface, which includes the IT environment of space companies and agencies, including their websites, authentication portals, computers, etc. Meanwhile, 10 percent of operations targeted the user segment, including user modems or satellite phones; 3 percent of operations targeted the software supply chain; and 2 percent targeted the ground segment. Yet, this was sometimes enough to significantly disrupt satellite services.

This shows that the cyber conflict extended to the space sector and space infrastructures but remained confined to space systems on Earth.

Who is Attacking the Space Sector?

Unlike the Viasat hack, which was carried out by Russian military intelligence, most identified operations were conducted by hacktivist groups. The study identified 12 pro-Ukrainian groups and 19 pro-Russian groups. The most active pro-Ukrainian group is the IT Army of Ukraine and the most active pro-Russian group is NoName057(16).

However, not all hacktivist groups are created equal. While most hacktivist groups have little to no link to the government they support, some of them are cooperating with state actors (e.g., IT Army of Ukraine, Kyber Sprotyv). Some groups crave for government support without getting it (e.g., Killnet) while others present themselves as independent groups but might be aliases for state actors (e.g., Cyber Army of Russia or BO Team UA).

These hacktivist groups largely communicate about their operations and self-attribute attacks against the space sector. Nonetheless, it is essential to highlight that not all hacktivists’ claims can be verified and some may exaggerate the results of their actions to attract media attention.

The study demonstrated that no hacktivist group emerged to specialize in operations against the space sector. On the contrary, most hacktivist groups are new to the space sector. Some groups explained that it was their first cyberattack against a space system, which made it unique and complex for them to understand.

Scratching the Surface

State actors also target the space sector but their activities are hard to map as most attacks are not publicly reported by either attackers or victims. The 124 identified operations are likely only the tip of the iceberg.

Although the study only managed to spot a few operations conducted by state actors, it shed light on their interests to target the space sector. Indeed, Microsoft and OpenAI noticed that pro-Russian groups used Large Language Models like ChatGPT to research space technologies used in Ukraine and how to target them. In the same vein, the U.S. government revealed the names of several hackers affiliated with Russian intelligence for targeting the aerospace sector without mentioning specific attacks.

In addition, Space ISAC Executive Director Erin Miller revealed that 100 attacks per week targeted U.S. critical infrastructures that rely on space systems without naming specific examples. She further underlined that attacks similar to Viasat’s did not stop even if they did not make headlines. Moreover, while Viasat explained that it had been targeted several times after the attack of February 2022, open-source information only revealed DDoS operations against Viasat’s websites coming from hacktivist groups. It is likely that other attacks affected Viasat’s space systems and that these were conducted covertly by state actors or state-sponsored actors.

Although publicly available information does not give a full picture of the threat landscape, it still highlights the evolution of the threat and the behaviors of threat actors in a sector that had long overlooked cyber threats.

What’s Next?

Hacker groups now take sides in armed conflict and launch cyberattacks against space systems. The war in Ukraine is not an isolated case. Similar dynamics can be observed in the Israel/Palestine conflict, where hacker groups also target space systems. This trend may have an impact on future operations against the space sector.

Clémence Poirier is the Senior Cyber Defense Researcher | Cyber Defense Project for the Center for Security Studies (CSS) based in Zurich, Switzerland. She is the author of the report, “Hacking the Cosmos: Cyber Operations Against the Space Sector.”