GhostSec Hackers Target Satellite Networks via GNSS Receivers

As space technology proliferates and the sophistication of cyber-attacks evolves, threat actors may be capable of exploiting vulnerabilities within the complex network of satellite systems to gain unauthorized access to satellite data, intercept or manipulate signals and disrupt communications.

Global Navigation Satellite Systems (GNSS) are a particularly vulnerable component of the satellite network as part of the ground segment. GNSS receivers are devices that receive and process signals from a constellation of satellites orbiting Earth to determine the receiver’s position, velocity and time. GNSS receivers are used in a wide range of applications, including navigation for ground, sea and air transportation, surveying and mapping, search and rescue operations and scientific research. There are many users, from military and government organizations to commercial businesses and private entities.

On March 14, 2023, a member of the hacktivist group tracked by the moniker “GhostSec,” shared a tweet validating a reputed attack targeting a GNSS receiver. GhostSec is a provocative affiliate of the Anonymous group and has evolved, both in its technical expertise and the severity and sophistication of its attacks. The group shared multiple images of the GNSS receiver as proof of its access to the network. Researchers at Cyble Research Intelligence Labs (CRIL) assessed that the systems shown could be “CTI operation and maintenance management software… a high-precision navigation technology that combines multiple satellite constellations including GPS and GLONASS.”

In early April 2023, @V_GhostSec, a user affiliated with GhostSec, posted additional claims on Twitter of destroying more GNSS receivers related to Russian and Israeli infrastructure. A post on Telegram’s blogging service Telegraph states, “We have hacked 11 different GNSS Satellite Receivers.” It goes on to claim that the group cleared up to 30 GB of data in each satellite.

If these claims from GhostSec are true, the impact of these attacks could have devastating consequences, as satellites rely on a complex system of terrestrial-based networks to receive commands and downlink information. These recent claims by GhostSec highlight the vulnerabilities of satellite networks, notably the access gateways, RTUs (Remote Terminal Units) and controllers that provide access to remote communication.

While it is difficult to define the impact of these specific attacks, the activity from GhostSec is indicative of a larger problem: the increased targeting of satellite networks via malicious cyber campaigns. Hacktivist groups such as GhostSec realize that disrupting satellite capabilities like GNSS can have a cascading impact, adversely affecting other areas of critical infrastructure.

Threat actors are also exploring new ways of targeting these networks by exploiting Industrial Control Systems (ICS). In January 2023, GhostSec publicly announced that they conducted the first successful hack of an RTU, a device commonly used in satellite communication. Additional analysis from SynSaber revealed that while the device in question was technically listed as an RTU, it was more accurately defined as a communication gateway, underscoring the novelty of the GhostSec claims, as we have seen recent exploits targeting VPN gateway technology such as Log4j vulnerability in VMware Unified Access Gateway (UAG).

Nevertheless, hacking groups like GhostSec are beginning to prioritize the targeting of Operational Technology (OT) and ICS environments in favor of traditional Enterprise IT environments. This targeting shift is especially important for the space Industry─both military and commercial─as ground station and command and control (C2) networks rely on the remote communication capabilities provided by these devices.

Read more from Space ISAC.