Seems entirely plausible to me that someone pushed a firmware update which corrupted the firmware (even maybe at the fpga/bootcode level) and effectively bricked the devices. Not horribly complicated to do and once you've done it it would require physical access to recover each device individually.
Is there a plausible explanation for who would do this, besides Russia?
Is Viasat/Eutelsat a particularly good target for this for some reason (seems more like Iridium is used in these scenarios).
KA-SAT seems to be used for SCADA control of 11 Gigawatt worth of wind turbines in Germany, among other things [1].
Not sure at all if this was the intended/primary target, but Europe is certainly scrambling for every Watt at the moment...
Also note that KA-SAT/Viasat and Eutelsat seem to be different platforms. I've seen reports of services based on the former being affected (e.g. SkyDSL [2]), but not the latter (Konnect), so far.
I was also surprised to learn that Ka-band based stationary consumer satellite internet services seem to be using (mostly) plain DOCSIS as the protocol. That possibly introduces its own share of vulnerabilities due to OTA updates/provisioning.
Sure, but can you prove it to the public in enough certainty to declare war? No. Suppose it was Russian flag, they could very easily just claim they were framed - and they very likely could’ve been.
> Sure, but can you prove it to the public in enough certainty to declare war?
This is not a court of law, proof is not what is missing to declare a war against Russia. They have a credible nuclear deterent, that is why war is not declared against them by other countries.
It is in fact a very sweet idea to think that a war declaration depends on meeting or not meeting some evidentiary standard.
> have a credible nuclear deterent, that is why war is not declared against them by other countries
Nobody “declares” wars anymore. If Russia were believed to be responsible for this, it would make it politically feasible to attack their critical infrastructure through targeted (plausibly deniable) cyber attacks.
You misunderstood, or simply ignored the word “public”. In free press societies, you need the will of the people to go to war. You need a 9/11 moment. A casus belli.
> In free press societies, you need the will of the people to go to war.
Sure. And this consent can be produced when there is a need for it. “Proof” is not the missing component.
That American basketball player who the Russians detained? Casus belli. The cyber attacks? Casus belli. Shelled civilians? Casus belli. The NATO country cargo ships which got hit and sunk? Casus belli.
These are just the ones I can think of. A proper state aparatus can come up with many more and probably even better ones. Government officials will leak the background, solemn faced politicians will demand justice while friendly journalist will write up the whole thing in the most hearth wrenching way. If they want to they can.
So why do they don’t want to? Is it because the Russian army is so powerfull that we think we can’t overpower them? No. Is it because the Russian air defences are so advanced that they cannot be picked apart? No. So what is it which makes the west avoid a direct confrontation with Russia? Why are they doing this strange dance of supplying weapons to Ukraine and hurting Russia with sanctions, but not directly engaging with them troop-to-troop? It’s the Russian nukes.
> You misunderstood, or simply ignored the word “public”.
I don’t think so. You won’t “prove” anything to the public through detailed technological explanations. A fig leaf of deniability might be an interesting roadblock in a criminal prosecution where things have to be proven “beyond a reasonable doubt”. In a situation where there is a governmental will to engage in a peacekeeping mission (read: send troops to fck the Russians up) the evidentiary level is “can we find an authorative sounding voice in the whole government who can tell the right sod story to enough guilable journalist to sell the people on it”. That is such a low level of “proof” that one might as well assume it can be met nearly always.
Journalist won’t pour over the attack binaries using Ghidra to make an assesment about the relative probabilities that it has the signatures of being created by this or that advanced persistent threat group. The ones who would demand that level of rigour before publishing won’t get the scoop. The ones who are selected to spread the message will have a lovely hour with a very charismatic “expert” who will walk them through just enough of the detail to sound right but not to get bogged down in unnecesary complications. This chat will get translated into a single line in their article, maybe something like “experts at the National Security Agency matched the unique signatures of the cyberweapon to the advanced persistent threat group Tippsy Bears, a known front of the Russian Federation.” Followed by two pages of hearth wrenching human angle story about innocents suffering needlesly. That is the “proof” the public might get.
I was with you until you said prove it "to the public"
After the WMDs and 17 intelligence agencies agree fiascos, among countless others, I'm beginning to lean on the side of the media being able to sell snow to an eskimo.
I know this is US-centric and lots of europe/other parts of the world were much more skeptical of the WMD claims at the time.
Before people politically flame me, I mention the "17 intelligence agencies" for 2 reasons
1) getting 17 people to agree on anything is impossible, getting 17 gigantic bureaucracies larger each than most governments to agree on anything is asinine.
2) most of the evidence, if you read the redacted report, was trivially forgeable so as to be pointless in determining actual responsibility. "we found cyrillic characters in the code, only could have come from russia!"
Nobody likes Russians. This would quite frankly be the easiest sell in history.
Evil bad guys? Check. Innocent civilians? Check. Fighting far away from your own vulnerable infrastructure? Check.
If this was true and practical, there would be so many wars... pretty much every country has had some infrastructure hacked, most more than once, some by random groups, some by government sponsored hacking, some by exploiting outdated installation of services and some using very advanced techniques (eg stuxnet).
Depends on who wrote the rules and who wins. Its not like NATO/5eyes hasnt been going on about cyber warfare threats for at least 15-20years now, at least I've been aware of it for 17years.
"The [turbines] affected remain in operation and are producing clean renewable energy. ... they will operate in automatic mode and are fundamentally capable of self-contained and independent regulation."
Sure, I'd hope for a heavily decentralized system to have some capability of autonomous operation. But in the medium and long term, it can't be good to not be able to remotely monitor for failures requiring manual intervention or on-site mechanical servicing.
The problem is once again our godawful prior government. Many tens of thousands of jobs in the wind industry have vanished over the last years [1] because the Conservatives oppose renewable power and impeded it wherever possible - if it is because of corruption, incompetence, fear of the far-right that outright demonizes anything not fossil or nuclear I don't know. In any case, we simply don't have the staff to visit literally thousands of wind turbines, a lot of which are actually offshore, simply to replace routers.
>"Initially it took a few days for the Ukrainians to get the satellite phones up and working because the instructions on how to use it were in English, not in Ukrainian."
Seriously?! Did the president hire my parents to set up his satellite phone? I refuse to believe that a nation state doesn't have at least a couple of techs on their payroll with decent command of English. If this is true then it's just embarrassing on so many levels and I'm really afraid of how Ukraine has a chance at winning this war.
> Is there a plausible explanation for who would do this, besides Russia?
Any engineer could accidentally do it... I can totally imagine the release engineer accidentally pushing the dev version, only to realise later that the dev version doesn't have quite the right config to connect for example.
Blaming it on a cyber attack is a lot less bad than saying "whoops, we bricked everyone's modems".
It should be pretty easy to figure out which one it is, except if the deployment vector was actually a malicious firmware update.
A plausibly deniable exploit like that is probably orders of magnitude more expensive, and the timing is suspicious enough that it's probably not even worth trying. In any case, it's not like it's trivial to attribute (beyond reasonable doubt) a "transparent" cyber attack either.
There's still the incentive to cover it up externally and blame it on a cyberattack as opposed to poor internal processes that allowed such a bug to make it to production.
Dumb Question here but my thoughts were - why not push the corrupted update to the sats? AKA hack the sat firmware? I'm fairly certain that they aren't wide open doors but still - I would guess that it would be a lot easier doing it that way. Perhaps it was both, or someting else entirely. It will make for an interesting read one day.
It's easy to buy an end-user terminal and tear it apart on your workbench to develop an understanding of how it works. I don't know about you, but I haven't seen any satellites on eBay recently.
Also, most satellites are intentionally as dumb as possible, just a "bent pipe" transponder, putting all the complexity on the ground stations which are easier to service if something goes wrong. There might not be much to do on the satellite itself.
With the right commands, you could flip the satellite by 180 degrees, move it from Europe to the pacific ocean, or crash it into one of its neighbors.
All geostationary satellites need to be capable of at least some station-keeping to correct for drift, move them to other service areas, or move them to a graveyard orbit at their end of life. (Unlike LEO, GEO satellites don't carry enough fuel for de-orbiting, and friction is essentially nonexistent at that altitude.)
That layer of commands is hopefully very well protected.
The satellite layer is probably very custom and requires specific skills and initial recon work which could be visible and risky. In contrast, getting access to the management network and sending intentionally-malformed configurations or firmware updates to the terminals is much easier and doesn't require any satellite-specific knowledge. The satellite terminals (at least the router part of it) are just standard Linux embedded devices, so no special skills required.
If your objective is to disable the devices like they've done, attacking the "easy" layer is enough so why waste time on unnecessary complexity? Of course they might well have also done recon on the satellite side and collected valuable data they can use in the next round.
The satellite command and control is probably the one bit of the network that's actually hardened (possibly even air-gapped), completely proprietary, etc. - that bit is designed by the companies that make $200 million satellites, not the people who make fairly cheap modems and have different priorities.
The current generation of satellites themselves generally do nothing to the data stream - for each of the dozens of spot beams they're transmitting, they generally just take an RF signal from the ground station (multiplexed in various ways up to the satellite) and convert the frequency. Same with the receive path just in reverse.
The actual modulation/demodulation all happens at the ground station. This is because they expect modem technology will improve, but the satellite has to be able to work for 25-30 years. (Though in the industry they are talking about putting more and more 'software defined' functionality on the satellites, but again this will mostly have to go via their secure systems at the ground station, not from the terminals)
So there's basically no way to interact with any 'satellite firmware' unless you're in a very specific location (near their ground station) with extremely specialised gear.
Because it's one thing to attack hardware in Ukraine and have some collateral damage in other parts of the world, and an entirely different thing to directly attack an expensive space asset of another country just because it is used to provide service to Ukraine.
Also, the affected ground stations are in Germany, the satellite belongs to a US company.
Is there a plausible explanation for who would do this, besides Russia?
Is Viasat/Eutelsat a particularly good target for this for some reason (seems more like Iridium is used in these scenarios).