Agencies Warn on Satellite Hacks & GPS Jamming Affecting Airplanes, Critical Infrastructure

The Russian invasion of Ukraine has coincided with the jamming of airplane navigation systems and hacks on the SATCOM networks that empower critical infrastructure.

In a warning to aviation authorities and air operators on Thursday, the European Union Aviation Safety Agency (EASA) warned of satellite jamming and spoofing attacks across a broad swath of Eastern Europe that could affect air navigation systems.

The warning came in tandem with a separate alert from the FBI and the U.S. Cybersecurity Infrastructure and Security Agency (CISA) that hackers could be targeting satellite communications networks in general.

Quit Jammin’ Me

The navigation-jamming attacks affecting airplanes started Feb. 24, the first day of the Russian invasion of Ukraine, EASA said – and they’ve continued to proliferate. So far, the affected areas include the Black Sea airspace, Eastern Finland, the Kaliningrad region and other Baltic areas, and the Eastern Mediterranean area near Cyprus, Turkey, Lebanon, Syria and Israel, as well as Northern Iraq.

“The effects of [Global Navigation Satellite Systems (GNSS)] jamming and/or possible spoofing were observed by aircraft in various phases of their flights, in certain cases leading to re-routing or even to change the destination due to the inability to perform a safe landing procedure,” EASA warned (PDF). “Under the present conditions, it is not possible to predict GNSS outages and their effects.”

Infosec Insiders Newsletter

Losing a GNSS signal could result in many negative outcomes, including pilots “flying blind,” without the use of waypoint navigation to tell where they are. Outages could also affect the ability for an airplane’s instrumentation to accurately track the aircraft’s position, which could lead to a plane entering contested airspace; the inability to properly gauge one’s proximity to the ground (which could trigger pull-up commands, according to the alert); or the failure of systems that address dangers like wind shear.

“The magnitude of the issues generated by such outage would depend upon the extent of the area concerned, on the duration and on the phase of flight of the affected aircraft,” EASA warned.

The agency urged air operators to make sure that fall-back conventional navigation infrastructure is fully operational onboard the aircraft, and to ensure reliable surveillance coverage that is resilient to GNSS interference, such as ground-based navigational aids (i.e., Distance Measuring Equipment or DME, and Very High Frequency omnidirectional range or VOR).

“Verify the aircraft position by means of conventional navigation aids when flights are operated in proximity of the affected areas; check that the navigation aids critical to the operation for the intended route and approach are available; and remain prepared to revert to a conventional arrival procedure where appropriate and inform air traffic controllers in such a case,” EASA recommended. “Ensure, in the flight planning and execution phase, the availability of alternative conventional arrival and approach procedures (i.e. an aerodrome in the affected area with only GNSS approach procedure should not be considered as destination or alternate).”

CISA Warns on Satellite Network Hacking

The concerns over the hacking of satellite systems in general also began Feb. 24, when Ukrainian official reported that hackers had apparently compromised one of the nation’s satellite systems. According to Reuters, the attack made communication with the Viasat KA-SAT satellite impossible, which resulted in internet outages across Europe, with tens of thousands of people cut off.

The cyberattackers took advantage of a misconfigured management interface for the satellite network, Viasat said.

The National Security Agency is looking into whether the attack was carried out by Russian state-sponsored actors, according to the report.

This week, CISA tersely warned that it is “aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.”

The agency advised satellite operators to start monitoring at ingress and egress points for anomalous traffic, including the use of various remote access tools (Telnet, FTP, SSH and so on); connections out to “unexpected” network segments; unauthorized use of local or backup accounts; unexpected traffic to terminals or closed-group SATCOM networks; and brute-force login attempts.

Satellite customers meanwhile should implement multifactor authentication (MFA) on their accounts, CISA warned, and should shore up least-privilege approaches for any sensitive areas served by satellite links.

Andreas Galauner, lead security researcher at Rapid7, noted that in the U.S., critical infrastructure is likely the target for such attacks.

“Almost no private individual uses SATCOM, as it is costly and the latency is too high and slow,” he said via email. “This leaves industrial and critical infrastructures, which makes SATCOM an appealing target.”

James McQuiggan, security awareness advocate at KnowBe4, made a similar assessment.

“Communication is a critical element needed in life these days, whether between families or between governments,” he emailed. “If the ability to communicate is lost, it becomes challenging to strategize, coordinate or plan. When cybercriminals are targeting this element of critical infrastructure, cyber-resiliency is essential to remain in contact. Organizations working with SATCOM products or services need to ensure protections to secure access to the devices with multi-factor authentication. Ensure all systems are up to date with software and firmware updates, increase monitoring of traffic and logs, and review incident response plans to prepare for an outage.”

ISPs of all stripes should be vigilant, Galauner added.

“Even though this particular risk relates to satellite communication networks, this has happened before in ‘normal’ ISPs,” he said. “In those instances, what got ‘pwned’ is the CPE: modems and routers that weren’t configured properly by the ISP. This could happen on DSL and cable lines as much as it can happen here. However, a satellite network, possibly spanning huge geographical areas, might allow attackers to perform more widespread attacks without having to be in the physical vicinity.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business