CISA, FBI Warn Critical Infrastructure of SATCOM Cyber Threats

March 23, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory to warn critical infrastructure organizations of cyber risks associated with satellite communication (SATCOM) networks.

Entities across all sectors, including healthcare, use SATCOM networks for voice and data communication. CISA and the FBI urged SATCOM network providers and customers to remain vigilant against SATCOM cyberattacks, which could disrupt network environments.

In late February, hackers targeted SATCOM provider Viasat and disrupted network access across Ukraine. The attack coincided with Russia’s initial invasion of Ukraine, Reuters reported. Viasat is also a defense contractor for the US and some of its allies and is used across US critical infrastructure.

“Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity,” the advisory stated.

CISA and the FBI recommended that SATCOM providers and customers use multifactor authentication, enforce the principle of least privilege, and review trust relationships with IT service providers. The advisory noted that threat actors often exploit trusted relationships between providers and their customers to access data.

Organizations should also monitor network logs, implement robust vulnerability management and patching practices, and maintain a cyber incident response plan.

The SATCOM advisory arrived just a few days after CISA and the FBI warned organizations of Russian state-sponsored threat actors who exploited multifactor authentication protocols and then used a known software vulnerability called PrintNightmare to exploit networks.

As geopolitical tensions rise, CISA is encouraging all US entities to stay on high alert.

“CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” the agency’s Shield’s Up warning stated.

The American Hospital Association (AHA) echoed CISA’s Shield’s Up warning in February, noting that hospitals and health systems could find themselves in danger of increased cyberattacks.

Specifically, AHA identified three concerns for the healthcare sector regarding increased Russian-borne cyber threats:

1. hospitals and health systems may be targeted directly by Russian-sponsored cyber actors;
2. hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. health care entities; and
3. a cyberattack could disrupt hospitals’ mission-critical service providers.

CISA and the FBI also recently warned organizations about HermeticWiper and WhisperGate malware, two destructive malware variants that have been used to target organizations in Ukraine.

HHS’ Health Sector Cybersecurity Coordination Center (HC3) encouraged healthcare organizations to remain on high alert due to the destructive nature of HermeticWiper malware. Threat actors deployed HermeticWiper malware against systems in Latvia, Lithuania, and Ukraine hours before Russia’s invasion of Ukraine.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” CISA’s advisory stated.

“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”