Russians can hijack satellites in order to launch cyberattacks, documents show

Russian intelligence services have been capable of hijacking satellite signals to launch stealthy cyberattacks since at least 2013.
Photo by US strategic command - CC0

Russian intelligence services have been capable of hijacking satellite signals to launch stealthy cyberattacks since at least 2013, according to a newly published cache of classified documents belonging to Canada’s Communications Security Establishment and obtained by The Intercept.

Because the innovative hacking technique is believed to be limited to a small number of operators, the revelation highlights the Kremlin’s longstanding effort to develop highly sophisticated cyber-espionage capabilities on par with other world powers.

The Intercept shared these sensitive documents in a story Wednesday, which sought to disprove U.S. President Donald Trump’s assertion that Russian hackers are so skilled that they cannot be tracked or accurately attributed — an opinion that was also recently voiced by Russian President Vladimir Putin.

In part, The Intercept’s story underlines how a series of simplistic but critical operational security mistakes by a skilled hacking group, codenamed MakersMark or Turla, eventually allowed Canadian intelligence officials to uncover their operation. But the leaked documents also provide a rare window into one of Russia’s cutting-edge spying tools.


Turla group is believed to associated with Russian intelligence services, based on a previous analysis conducted by U.S. cybersecurity firm FireEye.

Matthew Hickey, a cybersecurity expert and the co-founder of Hacker House, said the classified material illustrated that the Turla group “could run an exploit on an internet connected computer [and] … control it via satellite links” by ” intercept[ing] the downlink of an existing satcom provider and then spoofing packets as though they are the originator.”

Active and passive use of satellite technology to remotely route malicious computer commands to a targeted devices was publicly demonstrated in 2015, based on previous research conducted by cybersecurity firms Kaspersky Lab and Symantec. But the new findings show it was likely done prior to that date.

For a country to successfully execute this sort of cyberattack it would require a knowledgable operator equipped with a speciality antenna, receiver and possibly an amplifier, to access the satellite’s downlink channel — thereby allowing a hacker to leverage it as a command and control server. Using a satellite as a proxy makes attribution difficult because the hacker could be located anywhere within the spot beam of a satellite, which for some systems could mean a third of the planet, explained Hickey.


At the moment, while this technique offers a great degree of stealth it also costs about $1,000 to launch and remains “slow,” said Hickey, who previously developed a proof-of-concept attack that made use of Amateur radio satellites to deliver computer code.

“It is a slow [method], that’s not useful for stealing huge amounts of data,” said Hickey. By employing this capability, the attacker would sacrifice the speed they would be used to. Exfiltrating gigabytes of data would be cumbersome because of the high latency connections issue, which cause a delay in packets being sent and/or received via the satellite. And even if the attacker were to use a commercial satellite operator and data plan it could “start to get expensive in terms of bandwidth … a few 100mb can cost a few $100’s a time,” said Hickey.

While unique and creative in nature, the technique is probably useless for most hackers, today.

“There really is only one or two groups of people on the planet who would need such highly stealth communication capabilities and they most likely have connections to signals intelligence agencies of their home countries,” said Hickey. “Signals intelligence and exploiting communication systems is the bread and butter of intelligence agencies, this kind of thing will have been used for years very secretly. Its highly covert. But slow.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts