In light of Iran’s recent launch of three satellites into space, geopolitical concerns could increase surrounding the country’s intermittent threats toward the West and Israel amidst the post-October 7 Israel-Hamas war. Indeed, despite Tehran thus far avoiding direct involvement in the war, Iran has loomed via proxies such as Hamas and Yemen’s Houthi rebels to intimidate both Israel as well as the U.S. for its support of Israel. With Iranian nuclear and satellite capabilities on the rise, Israel and Western entities should remain watchful for potential indirect attempts to disrupt Israeli and Western equivalents, particularly for communication and surveillance hindrance purposes in the face of Israeli attacks on Iranian military personnel.
Alongside the obvious danger of attacks on government satellite systems, attacks on commercial satellites could also risk data loss. Such loss or theft could prove perilous in the hands of hacktivists and nation-state actors alike, including obstructed visibility into Iran’s nuclear activities. Further, for both federal and commercial systems, respectively, stolen defense-related data as well as the protected health information (PHI) of patients cared for by hospitals with affected satellites could be fatal.
In addition to the well-known distributed denial-of-service (DDoS) and supply chain methods of attack used to overwhelm and infiltrate respectively, backdoor attacks present a more elusive attack that exploits vulnerabilities in aerospace systems. To explore this subject in greater depth, MIT-trained Assistant Professor at Cornell University’s Aerospace ADVERSARY Lab, Dr. Gregory Falco, LEED AP, was consulted. Dr. Falco detailed the following (text minimally revised for context):
The bus is what facilitates all communication across the space vehicle. Usually, subsystems are reporting telemetry data over the bus to the brains of the satellite for consistent coordination. When something is chatty, it could either mean that it is programmed incorrectly or it’s sending too much data back. It could be sending data back to the brain to flood the brain with errant messages or for other malicious activity.
In terms of how a chatty bus might indicate an attack attempt, such as a DDoS or even a supply chain or backdoor, against a satellite system, Dr. Falco elaborated:
These kinds of vulnerabilities are also often used in supply chain attacks due to the many legacy parts of the satellite vehicle in question. [These parts] are [sometimes] operated or managed by an old supplier who does not bother to update their codebase or has third party entities engaging with operations and over-the-air updates. A chatty bus is a common sign of a backdoor installation but given the lack of runtime monitors on the edge of the vehicle, it is difficult to decipher the cause of the chattiness [noise].
In the face of potential adversarial activity conducted to gain a competitive edge in the aerospace sphere, defenders can take a step further by investigating beyond a DDoS or supply chain attack to also considering the stealthier backdoor. Artificial intelligence (AI) can be used to help analyze noise captures in either audio or text format, ideally equipped with a translation feature. This function would be further supplemented by a Persian Farsi human interpreter and translator to clarify the audio noise and any corresponding text captured via an AI speech-to-text dictation capability.
Regarding prevention, the AI could be trained to detect potential backdoors installed by Iranian actors by searching for Farsi words or code strings during code reviews. Such reviews should be conducted as a routine practice of input sanitization, alongside remaining up to date with the latest security patches. Coupled with regular security audits and code scans, following the principle of least privilege should help prevent threat actors from penetrating a system in the first place.
A Persian-language translation specialist could then advise on any whether any of the satellite system server logs contain text that, when rendered in English, would resemble common backdoor code.
Provided the ever-present insider threat due to social engineering, phishing also remains a hotbed for attacker penetration of any network or system. As Iranian social engineering attempts against Israel and the U.S. have spiked against the backdrop of the Israel-Hamas war, aerospace organizations should remain vigilant toward emails and other forms of communication with geopolitical themes. These communications might be composed in English, Hebrew, or another language spoken in a country seen as supportive of Israel and might focus on the Israel-Hamas war or similar political themes. If a user opens and clicks on a malicious link or downloads a malicious executable within, a backdoor could be installed on the corresponding device or system. An example might be an email composed using terms such as “war” (Hebrew: מלחמה, milkhama) or even “negotiation” (Farsi: مذاکره, mezakereh), pertaining to negotiations surrounding nuclear and political themes to put forth a false sense of diplomatic intentions.
Messages can be analyzed for spoofed sender addresses by comparing the email header’s From field against its return-path. If these entries do not match, analysts should use open-source tools alongside device and network logs to investigate any other instances of the domain names and email addresses observed in the return-path, with emphasis on Farsi words or other potential ties to Iran. Phishing attempts can be further suspected when conducted parallel to other potential attacks against satellite systems, such as DDoS attacks which attackers sometimes use to distract security analysts from penetration by other means.
When watching for possible infiltration tactics, defenders should be on the lookout for a wide range of techniques, possibly occurring simultaneously and against multiple geopolitical targets. In the case of Iran during the Israel-Hamas war, threats against both government and private satellite systems pose the unique threat of obscuring not only monitoring of Iranian nuclear capabilities but also of the targets’ accessibility to and retention of their own data.