xorl %eax, %eax

Passive collection of satellite traffic for threat intelligence

leave a comment »

In Black Hat USA 2020 there was this interesting talk, the: Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks which touched on a cyber intelligence collection method that became popular in the early 2010s.

In October 2020 I published an educational video showing how DFS, that’s Japan’s military signals intelligence agency, was doing its first steps in exactly this space. That is, using traditional SIGINT (eavesdropping on satellite broadcasts) to detect cyber threats. Japan’s DFS did this in close collaboration with the NSA since their satellite SIGINT stations were operated jointly by both agencies. I published that video because it was a unique opportunity to see the early stages (in 2011-2013) of a SIGINT agency using their skillset and resources to adapt to the rising domain of cyber threats. This is a photo of the MALLARD station in Japan which was (is?) jointly operated by DFS and NSA for satellite SIGINT collection.



And the following slide (this is from my reconstruction of the slidedeck) shows the process that DFS was following to take advantage of this new intelligence source. To simplify this for the average reader… Think of J6 as your cybersecurity department, DFS as your threat intelligence team(s), CIRO as the leadership of your threat intelligence team(s), MOD as your company’s leadership, and SIGINT collection as eavesdropping on internet traffic from satellites that are broadcasting it back to earth.



Some of the challenges that DFS faced back then was not knowing which communication satellites/frequencies/channels to monitor (and NSA was helping by providing details on that), but also handling the amount of broadcasted data in near real-time meant that their processing and storage requirements skyrocketed. Nowadays, another challenge would be that some parts of the internet (like web traffic) are mostly encrypted, but this Black Hat USA talk surfaced an interesting area that I’m sure threat intelligence companies will be considering which is… Why not replicate what signals intelligence agencies have been doing for more than a decade now in the private sector?

By that I mean monitoring/receiving satellite broadcasts (AKA passive SIGINT collection) and look for indicators and warnings of cyber operations – e.g. C2 traffic, spear-phishing campaigns, exploitation of certain vulnerabilities, etc. Now this brings a ton of ethical and legal considerations such as: Is it illegal if you are just “listening”? Most email traffic is still unencrypted, is it the same as people talking in public domain then? What happens if you start processing sensitive personal information? etc.

On the technical side, there are also some interesting challenges and opportunities such as: Would there be a need for a private sector XKeyscore utility for “selectors” or will industry-used technologies like Sigma rules and YARA cover those needs? Also, some cloud providers now offer satellite ground stations as a service. Does this mean that setting up a global SIGINT collection network is something trivial or there is still a need for company-owned resources?

In any case… I find it interesting that the private sector is catching up on this and I’m very curious to see what this is going to bring in the threat intelligence industry.

Written by xorl

January 26, 2021 at 12:36

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s