Satellites, the first line of defence
Last month, five of the western world’s security organisations released a joint Cybersecurity Advisory warning organisations that Russia’s invasion of Ukraine could put them at increased risk of cyberattacks.
The agencies, one from each of the “Five Eyes” countries that have worked on intelligence since World War Two, were the UK’s National Cyber Security Centre, the Cybersecurity and Infrastructure Security Agency (CISA) in the US, National Cyber Security Centre New Zealand, the Canadian Centre for Cyber Security, and the Australian Cyber Security Centre,
But what this will mean for the wholesale telecoms/ICT community that protect not only the infrastructure, but the network layer and in some cases the application layer as well?
According to Alp Toker, founder and director of NetBlocks, a global internet monitor, “Ukraine has been a huge wake-up call for the telecoms community in terms of security”, but there are also other factors to consider.
Firstly, the pandemic has caused a blurring of lines between business infrastructure and home infrastructure, “so you already have this need for resilience that is much more widespread than to the office or to the data centre,” says Toker.
At the same time there has been a growing awareness of physical infrastructure and threats to physical infrastructure, including both kinetic attacks and sabotage, “so, along with awareness of telecommunications, there’s also an awareness of how to disrupt telecommunications”.
But by his own admission there is no silver bullet. Instead telcos must adopt a “holistic approach” with information officers encouraged to track the news and keep up to date with what’s going on according to their own processes.
“There’s the hardware threat, the software threat, as well as a piggybacking of business infrastructure, increasingly on consumer networks creating this need for increased reliability across the board,” added Toker.
“Telcos are going to need to improve security by themselves. They can’t rely on government or local authorities. It’s a task for the entire business.”
Despite the need for a holistic approach, a month prior to the publication of the joint Cybersecurity Advisory, the CISA and the Federal Bureau of Investigation (FBI) published an alert on the need for US and international satellite operators to strengthen their cybersecurity – citing “the current geopolitical situation”.
In its advisory the Cybersecurity Advisory writes that it “strongly encourages critical infrastructure organisations and other organisations that are either satcomm network providers or customers to review and implement the mitigations outlined in this CSA to strengthen satcomm network cybersecurity.”
Toker said: “Satellite communications have played a significant role in the conflict, despite Ukraine being very well connected via land.”
One such incident that supports this need is the attack on the Viasat satellite network in Europe on the morning of the Russian invasion.
“It shows you that this kind of instruction will be targeted as a means of preparing the battlefield and as a means of limiting communications,” he added.
Further, the introduction of low earth orbit satellites like Starlink brings with it new technological opportunities as it no longer requires “bulky equipment” and “in theory, a receiver and transmitter can be minimised and put on a phone: it can even be scaled down to the size of a wristwatch”.
This has been part of what Toker calls “the information warfare field”. The first is that “the technology itself has been classified as a risk by the Russian government, which sees independent communication lines as a threat”.
Next, he says is the use of jamming, which refers to the intentional disruption of wireless communications with signal interference to limit the use of devices such as handsets.
“The most interesting thing here is this new ability that Starlink has developed to dynamically mitigate these risks, which really speaks to needs that the whole industry faces not just in satellite. When there is a threat, you need to be able to counter it dynamically and in real time.”
This functionality enables operators to push updates, including firmware updates and dynamic frequency updates to mitigate these threats “because otherwise your device is going to be incapacitated and stuck in the field”.
This leads onto another emergent threat: firmware attacks, another type of assault believed to have happened during the Russia-Ukraine war.
“This is every telco’s nightmare, because once a device is bricked that device is very difficult or impossible to repair,” says Toker.
“If hackers can push fake firmware or can incapacitate devices, they can knock out significant parts of the network, without even needing to perform a more sophisticated attack or supply chain attack. The more remote the devices, the more of a nightmare it is for the operator to resolve the issue, with the ultimate fear being that satellites themselves could be bricked through remote firmware.”
One such example includes the story of Russian looters who, while working with the Russian military, stole 27 pieces of John Deere farm equipment, valued at approximately $5,000,000 from a dealership in Melitopol, Ukraine.
The group attempted to take the equipment back to Chechnya, Russia in an attempt to sell it on, but the John Deere dealership used the internet and bricked the tractors, using an in-built kill-switch.
Security and tech
With so many companies monitoring the situation, Quad9, a global public recursive DNS resolver, intercepted more than 4.6 million attacks against computers and phones in Ukraine and Poland since March of this year.
Bill Woodcock, executive director of Packet Clearing House, said: “They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure.”
Toker says that, due to the varied nature of these attacks, “securing the home, and building networking structure that is as reliable as the office, in people’s homes, has really become the new challenge”.
AI and machine learning continue to be the biggest technologies to invest in for their ability to monitor and mitigate network activity. As for things like quantum cryptography, Toker says it “holds a lot of potential” but “but there are also questions about how to make it attractive as an investment. There needs to be an increased awareness and desire to protect users’ data, so that there can be investment in technologies like quantum cryptography.”
While blockchain continues to grow in use cases, he says “we haven’t yet seen the real-world applications agreed” for the technology.
Toker’s advice is to decentralise as much as you can, while increasing peering and reducing choke points that can be targeted by threat actors.
“If a telco isn’t automating their threat analysis, they really need to get involved with that now,” he said. “You need to know what attacks are coming in, and you need to be able to automate that, so machine learning would be a deployment that I would prioritise.”