Via Satellite archive photo

On Friday June 13, the Israeli Defense Forces launched a series of preemptive kinetic and drone strikes against Iranian military assets and nuclear facilities. Shortly after Israeli kinetic strikes, cyber activities started to skyrocket. Dozens of pro-Iranian and pro-Israeli hacktivist groups, some of which are believed to be state-directed or state supported actors — took to social media claiming to have  conducted numerous cyber operations to weaken the two belligerents. Hacktivist groups have also taken sides in this war. Notably, even pro-Palestinian, pro-Russian and pro-Pakistani groups have sided with pro-Iranian groups online, blurring the lines between different geopolitical conflicts.

Among the numerous targets, the space sector is a privileged one for hacktivists. Based on open-source analysis across hundreds of Telegram channels, 67 cyber operations targeting space companies and space systems, including military ones, were claimed by threat actors in less than 15 days.

At least 22 different space entities were allegedly targeted, with most attacks affecting Israeli satellite operators including Elbit Systems and Rafael. Most attacks were distributed denial of service (DDoS) against company websites, which did not disrupt the functioning of any actual space systems.

[This column was published exclusively for Space Security Sentinel, a new cyber newsletter from the teams at Via Satellite and CyberSat. Learn more and subscribe here]

As of this writing, the most active hacktivist group is a pro-Palestinian (and pro-Iranian) group called “Mr.Hamza.”, which had already been targeting the Israeli space sector in the context of the war in Gaza. Mr.Hamza conducted 23 DDoS attacks against websites of Israeli, British, and American space companies, including Israel Aerospace Industries, Kratos Defense and Security, and Orbit Communications Systems. Information from check-host, which is a tool for checking the availability of websites, corroborates these claims.

Hacktivist group “GhostSec” has claimed to have hacked into ten very small aperture terminals (VSATs) belonging to the Israeli Defense Forces. It is unknown whether the attack actually occurred as GhostSec did not explain how it supposedly hacked these two-way satellite ground systems. It is unclear whether the attack happened but GhostSec is not new to targeting the space sector as it previously claimed to have targeted GNSS receivers in Russia in the context of the Russo-Ukrainian war, and in Israel in the context of the Israel/Palestinian conflict.

On June 15, pro-Iranian group “LulzSec Black” claimed to have targeted IP addresses related to Israeli air and sea navigation systems. It is likely that access to navigation data through online portals was rendered inaccessible. However, it does not seem that actual navigation systems were impacted.

On June 16, Pro-Iranian group “Cyber Unit 89” claimed to have accessed data about Israel’s defense infrastructure and released several screenshots of what looks like lines of code about GPS-guided Israeli missile systems. It is unclear whether the data is legitimate.

On June 18, Pro-Palestinian (and pro-Iranian group) “WeAreRootSec” was selling 13 access credentials to the online portal of Israeli company Rafael. The group shared a list of Rafael email addresses and usernames directly on Telegram. It is unknown whether the credentials are legitimate and whether credentials were sold to anyone.

Space, Cyber and Information Warfare

Some of the earliest supposed DDoS attacks amidst this war coincided with a major outage at Google that was caused by multiple layers of flawed recent updates. The outage disrupted dozens of third-party services including Cloudflare and Shopify which rendered many other websites inaccessible. Amidst this major outage, it is difficult to determine whether certain sites were unreachable because of the outage or a successful DDoS attack.

Pro-Israeli social media channels have also begun to contest the claims of pro-Iranian groups, including alleged cyber operations that affected Israeli space companies. Both sides seem to attempt to undermine the perceived cyber capabilities of the other side. Assessing the veracity of information is difficult and all claims should be taken with great caution.

Attacking satellite TV feeds have become yet another front in the escalating information war. On June 19th, Iranian state television was hijacked with anti-regime footage and calls for popular uprising. A logo of operation Rising Lion was spotted on the footage. The Iranian broadcaster confirmed that the incident was due to satellite signal interference from Israel.

Moreover, on June 13, the Iranian Ministry of Communications announced that it access to the internet across the country in an attempt to likely reduce the attack surface for incoming cyberattacks and prevent citizens from accessing information. According to Cloudflare Radar and internet monitoring company Netblocks, a significant reduction in internet traffic in Iran has been observed since June 17. Internet disruptions on gateways and via virtual private networks have also been reported by users in Iran. Given these connectivity issues, satellite communications will likely become an increasing alternative for Iranian citizens the longer this war lasts.

On June 14, Elon Musk confirmed on X that Starlink was currently operational in Iran. Since 2022, Starlink has been active in Iran without government permission, which already led to an official complaint filed by the Iranian government to the International Telecommunication Union. Although Starlink’s use is not widespread in Iran, around 800 Starlink terminals are believed to have been smuggled into Iran after the anti-government protests in 2022.

Unilad Tech notes that according to industry analysts, “approximately 20,000 Starlink terminals are already operating in Iran through black market channels.” While no threat actor seems to have yet targeted Starlink itself, the news of Starlink being operational in Iran has been picked up in numerous hacktivist channels. Elon’s post on X was praised by pro-Israel accounts and lamented by pro-Iranian ones. It seems probable that Starlink might become a target for pro-Iranian hacktivists and state actors alike.

Beyond information warfare, cognitive warfare is in full swing. Dutch media Volkskrant reported that the Iranian government was panicking over the security of its communications and instructed officials to stop relying on terrestrial networks. Iranian armed forces are reportedly looking to procure Chinese satellite phones such as Huawei’s Mate 60 Pro, which can rely on China’s Tiantong-1 satellite. Fifty Chinese devices were allegedly already delivered via Pakistan. This rush may lead pro-Israeli actors to target Chinese space systems, making the conflict more global. It is also conceivable that Israeli intelligence agencies may try to pose as Chinese satellite phones vendors in a similar way it infiltrated the supply chain of Hezbollah’s pagers.

Analysis

The surge in cyber activities amidst the Israel-Iran war shows that each geopolitical crisis will inevitably also lead to a rise in malicious cyber activities against the space sector. In the past few years, about 170 cyber operations were conducted against the space sector in the context of the war in Ukraine and 135 operations when it comes to the Israel/Palestinian conflict. Last month, when a crisis erupted between India and Pakistan, several cyber incidents also impacted the space sector.

The spike in malicious cyber activity amidst the outbreak of an armed conflict is useful background noise to cloak more sophisticated cyber operations. Massive DDoS attacks against the IT environment of a space company might be aimed at overwhelming incident responders to prevent them from focusing on system intrusions elsewhere into their network. In addition, hacktivists and cyber criminals are naturally opportunistic and have recycled old data leaks by making them appear as new ones. With companies having to spend time and resources to investigate these claims, especially in countries that have mandatory reporting mechanisms for cyber incidents and data breaches, this can create increased background noise and opportunities for state actors to successfully run their cyber operations.

Overall,  satellites in orbit do not seem to have been impacted by any of the cyber activity currently happening in the Israel-Iran war. The impact on the space sector remains relatively limited at the moment. However, it is still too early in the crisis to grasp the full scope of ongoing cyber activities. Both Iran and Israel have significant cyber capabilities, raising concerns that the situation could worsen for the space sector. This includes not only the Israeli and Iranian space industries, but also those of other nations, which often become collateral targets of campaigns due to their governments’ perceived stance in a conflict. Threat actors, which previously targeted Iranian and Israeli critical infrastructures such as railway systems, power grids, or water management facilities, have re-emerged in the past week and may be capable of targeting space systems.

Although Israel and Iran agreed to a ceasefire on Monday, June 23, cyber activity persisted.

Clémence Poirier is a Senior Cyber Defense Researcher for the Center for Security Studies (CSS) at ETH Zurich, based in Switzerland. She is the author of the report, “Hacking the Cosmos: Cyber Operations Against the Space Sector.”