The recent attacks on the ViaSat satellite network in February and March of this year have gone unnoticed amid the din of the Russian assault on Ukraine. And this is understandable: these attacks are cold and distant and somewhat unreal, nothing like the anguish we see on the ground in Kharkiv and Mariupol, or the sheer brutality we see in Irpin and Bucha.
But it is worth paying close attention to these attacks. Not only is this the first time a nation has waged cyber warfare side by side with armored columns, it may also be the first time firmware (code residing in non-volatile storage) has served as the primary battlefield.
On February 24, 2022, a “deliberate multifaceted cyber attack” was carried out against the ground portion of ViaSat’s KA-SAT network. The attack resulted in a partial disruption of KA-SAT’s consumer-oriented satellite broadband service. The attack affected several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
- Large volumes of targeted malicious traffic were detected emanating from ViaSat SurfBeam2 and SurfBeam2+ modems and/or associated equipment at customer premises physically located within Ukraine.
- As ViaSat staff worked to force the malicious modems offline, other modems emerged on the network to continue the attack, degrading the ability of legitimate modems to enter or remain active on the network.
- Around the same time, ViaSat saw a gradual decline in the number of modems online in the same business partition, with a large number of modems in much of Europe leaving the network.
- Ultimately, tens of thousands of modems that were previously online and active were disconnected from the network, and these modems were not observed attempting to re-enter the network.
February 24 was, of course, the same day that Russia began its current military aggression in Ukraine, with missiles and air strikes accompanying the armored assault. It was also the first day of civilian deaths in the conflict.
Weeks later, multiple sources doing forensic analysis of the attacks have focused on firmware updates on the affected modems. One publish in reverse mode was particularly clear about the likely vector of the attack:
“Overall, however, the security posture of the Surfbeam2 firmware does not look good. Hopefully these vulnerabilities will no longer be present in the newer ViaSat firmware, otherwise that may pose a security risk.”
To be clear: while this attack may not use the same techniques as the ones we’ve seen before, network device issues have become increasingly focused in recent months, affecting Pulse Secure VPN, fortnite devices, cisco team and many others.
Defending firmware on these terrestrial networks and connected devices requires us to “walk what we preach” when it comes to firmware security. Cybersecurity teams need to routinely identify, verify, and harden the firmware of their devices:
- Identify: The firmware of vulnerable devices, including VPNs, are still under heavy attack right now. Unfortunately, you can’t protect what you can’t see, and firmware visibility on these devices is a critical blind spot. Similarly, the firmware on these modems has little or no protection. Like many other devices, this is accepted only because the firmware is invisible to users.
- Verify – Once devices are compromised, they can act as stepping stones to increasingly critical parts of the network. When these devices were eventually disabled, the attacker could easily have been building backdoors or other malicious behavior anywhere within the trusted management network. Without a way to verify healthy device firmware, including its binary provenance and current configuration, there are plenty of unvalidated areas to continue hiding.
- Fortify: Everything from PCs and servers to VPNs and modems will have the same software-related vulnerabilities and attacks that we’ve seen with other software. The only way around this is to safely update and reconfigure the firmware if we are to have any hope of defending against attacks at this layer.
But what if attackers seek to move “upstream” from terrestrial modems and try to compromise the firmware of the satellites themselves?
The Higher Question: Firmware in the Firmament
Of the approximately 5,000 satellites in Earth orbit, some 2,224 are communication satellites. These modern wonders are quietly and reliably responsible for much of what we take for granted in everyday life: television and radio, telephony and the Internet, military communications, and data access. Most of these communication satellites are geostationary and orbit around a fixed point to provide their service to a certain and relatively small area on the earth’s surface.
These satellites, like all devices, are made up of thousands of unique components. Many, if not most, of these components have their own embedded firmware to provide instructions.
The firmware in these devices suffers from the same weaknesses and drawbacks that plague the terrestrial firmware in their terrestrial modem counterparts:
- Firmware vulnerabilities: Of the most exploited vulnerabilities identified by the US Cyber Security and Security Infrastructure Agency (CISA) in Q4 2021, one amazing 69% they were in firmware code rather than applications and operating systems.
- Lack of Updates – Due to the “black box” nature of firmware and the general unease professionals feel in updating this non-standard and highly customized code, Eclypsium finds that almost 80% of firmware is not updated before reaching the final Of the device. -life.
- A recent federal report – “Assessing the Critical Supply Chains Supporting the US Information and Communications Technology Industry.” – cited firmware as the “single point of failure” in most technology supply chains.
If our adversaries have adopted a strategy of “jamming” modems via firmware attacks to sow confusion, it doesn’t seem like much of a leap to transpose that goal to satellite attacks via firmware that would render them useless.
However, there is a plan to stem this tide before it reaches firmware attacks on devices in orbit. New legislation being proposed in the US Senate: the Satellite Cybersecurity Law – will seek to address some of the current defensive shortcomings. Specifically, the proposal calls for:
- “Cybersecurity-informed, risk-based engineering, including continuous monitoring and resiliency.” Eclypsium expects this to be defined to include firmware.
- “Planning for the retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident.” Eclypsium expects that the requirements to address this will include provisions for automated cryptographic signatures. firmware updates.
- “Management of supply chain risks affecting the cybersecurity of commercial satellite systems”. by eclypsium recent white paper on firmware security in supply chains outlines the key steps organizations must take to protect this increasingly complex and invisible layer of the supply chain.
If this legislation is properly developed and enforced, firmware security will not be an afterthought, like the general lament “I guess we didn’t think about that” that has become over the last twenty years.
Yet we have seen that human nature, from national chest-pounding to financially motivated cyberattacks to all-consuming autocratic greed, seems to work faster than the laws of Congress. Hopefully we get through this as an industry before we have another “we don’t think about it” moment.
Sign up for the next Eclypsium webinar, Fix Links: Firmware Security and Technology Supply Chains for more on this topic.