We breached Russian satellite network, say pro-Ukraine partisans

Hackers claim to have penetrated Gonets, a Russian low Earth orbit (LEO) satellite communications network, deleting a database that is crucial to its functioning.

Pro-Ukrainian hacker group OneFist allegedly breached Russia’s LEO communication satellite system Gonets (“Messenger”). The system provides global communications coverage to clients in Russia and is often employed by users living in remote locations not covered by ground-based networks.

A member of OneFist, known as Thraxman, claims it successfully penetrated Gonets’ customer relationship management (CRM) system, discovering a misconfiguration error that allowed him to access the satellite network as a legitimate user.

“I found a misconfiguration in their setup, which allowed us to enter just like any other account. We were able to access the view but not escalate our privileges and download the whole database,” Thraxman explained.

However, OneFist hackers found another way to damage the system when they realized Gonets was designed in a way that made the CRM system essential to its operations.

“If a customer sends a message through this satellite constellation, the database is checked to see if they have an active account, and they’re billed through it. Wipe all accounts from the database, and nothing can be sent,” Thraxman told Cybernews.

Military clients

The hackers claim that Gonets’ CRM database contained 97 client names. Even though the satellite network focuses its customer-facing website on commercial partnerships with fishing and logistics companies, it apparently also services state and military organizations.

“A lot of these companies do not acknowledge that they use the system. Approximately half of the users were missile or space technology related,” Thraxman said.

Cybernews has seen parts of the Gonets user list shared by the hackers. Several remote regional offices of Russia’s Federal Security Service (FSB) were apparently using the satellite system for communications.

"The story is honestly about how much corruption has seeped into so many areas of the russian internet. They simply do not take the time to defend their systems in the way that even average security is done,"

Voltage told Cyberemws.

Other users include Russia’s cruise and anti-ship-missile maker, a military electronics manufacturer, and several other enterprises from the Russian military-industrial complex. Several names of commercial entities could also be seen.

The majority shareholder in Gonets’ operator, known as “Satellite System Gonets,” is Roscosmos, Russia’s space agency, built to facilitate global satellite communications.

We reached out to Satellite System Gonets before publishing this article, but did not receive a reply before going to press.

Five days down

According to hackers behind the operation, the breach happened on September 28. Unable to download the database or escalate their privileges on the system, they decided to delete every entry in the CRM database manually.

“We didn’t have full permission, so we had to delete it all by hand – it was exhausting, despite having multiple people in the attack. But it had to be quick, as the admins were monitoring regularly,” the hacker explained.

The hackers claim to have completely destroyed the CRM database – which in effect should have meant registered clients could not access the system – but added that Gonets administrators restored access to it on October 4, almost a week after the attack.

It’s likely that during this interim they were looking for backups to restore the database and bring service back to users.

‘Poor cyber defenses’

Another hacker involved in the operation, Voltage, told Cybernews that the Gonets database was spread over several systems, leaving it vulnerable to attack.

While that’s not too different from any other mobile communication provider, Gonets kept its CRM on the open internet without any protection or firewall.

Voltage pointed out that sensitive systems are typically not so easily accessed, adding that such an approach would be considered “madness” in Western countries.

“It speaks to how badly russian [sic] cyber defenses really are. The story is honestly about how much corruption has seeped into so many areas of the russian internet. They simply do not take the time to defend their systems in the way that even average security is done,” the hacker explained.

"A lot of these companies do not acknowledge that they use the system. Approximately half of the users were missile or space technology related,"

Thraxman told Cybernews.

Flames of cyber war

The hackers behind the operation claim they are affiliated with Ukraine’s IT Army. If confirmed, the attack would be the latest in a string of hacks aimed at undermining Russian systems.

Competing hacktivist groups have launched numerous attacks since Russia invaded Ukraine on February 24, with Anonymous, IT Army, Hacker Forces, and many others targeting Russia’s state-owned enterprises and businesses.

Meanwhile, pro-Russian groups have carried out DDoS attacks against countries supporting Ukraine, and government websites in Finland, Italy, Romania, Germany, Norway, and Lithuania, as well as websites in Czechia, Latvia, and elsewhere, have come under cyber-fire.

According to the United Nations, the Russian invasion of Ukraine has created the “fastest-growing refugee crisis in Europe since World War II.” Over 12 million people have been displaced due to the conflict, in a nation of 44 million residents in peacetime.

Witness testimonies taken from Ukrainian towns occupied by Russian forces point to severe human rights violations and targeted lethal attacks against civilians. Reports of “gross and systematic violations and abuses of human rights” led to Russia being suspended from the UN Human Rights Council in April.

More from Cybernews:

Harvard Business Publishing licensee hit by ransomware

Boston Dynamics pledges not to weaponize its general-purpose robots

Microsoft users targeted by scammers pretending to be Zoom

Microsoft Defender struggles to live up to name as cyber crooks get smarter

Lloyd's shuts down its systems amid possible cyberattack

Subscribe to our newsletter


prefix 1 year ago
They should have instead changed database records, a little at time, day by day. Assuming the intrusion wasn't detected, the old backups would roll off and get purged, leaving them with just corrupted data in their backups too.
Leave a Reply

Your email address will not be published. Required fields are markedmarked