Srsly Risky Biz: You Can't Block Space Internet

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . This week's edition is sponsored by SpecterOps .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Amid ongoing domestic unrest and a violent government crackdown in Iran, the country’s government imposed an internet blackout. This shutdown, which began on Thursday January 8 is still in effect at time of writing.

During the shutdown some Iranians have been using SpaceX's Starlink satellite service to connect with the outside world. According to the New York Times , this didn't happen by chance. It was the result of deliberate planning:

Since 2022, activists and civil society groups have worked on sneaking Starlink terminals into the country, aided by a US government sanctions exemption for Starlink and American companies to offer communication tools in Iran. About 50,000 of the terminals are now in Iran, according to digital activists, in defiance of an Iranian law passed last year that bans the systems, and rules prohibiting unlicensed services.  

Compared to domestic ISPs that the Iranian government can force to stop internet access, blocking Starlink is much more difficult. So far the government’s measures have included warnings to the public that possessing Starlink systems is a crime, using drones to find and confiscate terminals, and electronic jamming, possibly using Russian-provided equipment. In addition to jamming the frequencies Starlink operates on, GPS spoofers degrade the service, as terminals rely on accurate location information to direct their antennas correctly. The efforts have proven partly effective.

SpaceX has not publicly commented about its service being used in Iran, but it has waived subscriber fees for terminals in the country. Terminals in the country began working the day after President Donald Trump said he would talk to SpaceX CEO Elon Musk about restoring internet access to the country. 

Granting free internet access to Iranians is a good PR move. It is also consistent with SpaceX being reactive to political pressure. 

In the early days of Russia's invasion of Ukraine, SpaceX rolled out Starlink access to Ukraine following a twitter exchange between Elon Musk and Mykhailo Fedorov, the country's then Minister of Digital Transformation. The company subsequently reined in Ukrainian use of its service after military forces used it to control offensive drones . Starlink had inadvertently become a legitimate military target . 

Its services to Ukraine also resulted in SpaceX getting into a funding argy-bargy with the Pentagon over ongoing bandwidth costs. 

More recently, Starlink terminals have been used by scam compounds when domestic internet services have been cut. Instead of blocking terminals located within compounds, SpaceX allowed the problem to fester until a US Congressional committee announced that it was launching an investigation. Within the week, SpaceX announced it had "proactively disabled" 2,500 Starlink terminals near suspected compounds. 

It's not just SpaceX that implements policy on the run. The US government sanctions exemptions for Starlink terminals appear farsighted today. But these were actually a response to a previous round of protests and internet blackouts back in 2022. 

Starlink is super easy to ship and activate, so it is perfect for responding to emergencies (or political pressure). But when it comes to deliberate internet blackouts, there are new technologies coming online that provide a better solution, at least in some ways. But they are more complicated to roll out and require planning ahead.  

SpaceX now offers direct-to-cell services that provide satellite communications for regular LTE phones . AST SpaceMobile is building another direct-to-cell service. 

Activists are already asking that direct-to-cell services be opened up to Iran. In some ways, this would be better than Starlink. It could be more widely accessible because a significant proportion of the population has compatible handsets. This would also make it harder for the government to jam access and track down any individual user.

Still, it's early days for that service. And while SpaceX controls all the infrastructure that runs Starlink, direct-to-cell is offered in conjunction with local operators. It's not as simple as one company flipping a single switch. 

In other words, enabling direct-to-cell will take time. 

Unfortunately it may be too late to fully assist with the crisis in Iran. But it will not be the last of its kind. When unrest arises, authoritarian governments regularly impose internet shutdowns . Rather than reactively responding to every crisis as it arises, perhaps it's time to plan for a future one.

Cyber Command Nominee's Flexible Reed Strategy

President Donald Trump's nominee to lead NSA and Cyber Command, General Joshua Rudd, appeared in front of the Senate for a confirmation hearing last week. To put it bluntly, he failed to impress.

For a start, Rudd simply doesn't have much experience in intelligence or cyber operations. Instead, he played up his role in IndoPacific Command as a "consumer and integrator" of intelligence and operational capabilities from NSA and Cyber Command. 

Still, a lack of direct experience can be forgiven. Much of a senior leader's role is managing upwards and outwards and dealing with the thorny bigger picture issues of the day. 

When it comes to NSA and Cyber Command, a list of these hot potato topics would include the current 'dual-hat' arrangement where a single officer leads both NSA and Cyber Command, Section 702 intelligence collection and protection of American's civil liberties, and the role of offensive cyber operations in deterring adversaries . 

Unfortunately, when asked about these key issues, rather than projecting strong and informed views, Rudd's testimony suggested reed-like suppleness.

When it came to the dual-hat arrangement, Rudd said that he liked it from a consumer's perspective because it "fostered integration and speed". He said, however, he was aware of an independent study assessing the leadership arrangement. His responsibility, if confirmed, would be to "remain objective" and "ask continuously if that is the most effective way to lead those two organisations". 

The most telling exchange occurred when Senator Angus King, I-Maine, asked whether Rudd believed that NSA and Cyber command should develop a public offensive cyber deterrent policy. 

Rudd ducked the question, saying "I don't know if it's my role, if confirmed, to declare policy". He’s right, it isn't. But the head of Cyber Command should be able to speak sensibly about the pros and cons of such a key policy that directly affects the organisation. 

King excoriated Rudd for this answer. He questioned how someone nominated to be the "top cyber officer in the United States" could have no opinion about how the country's response to cyber attacks should be structured.

"Someone appointed to this position should have some familiarity and analysis and thinking about the position of this country in cyber." 

Rudd should absolutely have been prepared. His predecessor, General Timothy Haugh, was asked a very similar question by Senator King at his confirmation hearing. 

Of course, given that General Haugh was dismissed by President Trump at the urging of far-right conspiracy theorist Laura Loomer, we wonder if Rudd's 'flexible reed' approach is actually the best possible strategy given the circumstances. 

From a technical and policy experience point of view, Rudd may not be the best candidate to head NSA and Cyber Command. We hope his ability to survive and thrive within the Trump administration, where personality matters more than policy, makes up for that. 

Rudd has another confirmation hearing before the Senate intelligence committee next week . 

We wonder if he'll prepare some cue cards this time.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Risky Business Podcasts

In this special documentary episode , Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo’s Egg story.

Three Reasons to Be Cheerful This Week:

1. DDoS attack for the win: The Organized Crime and Corruption Reporting Project said late last week that it was "fighting a DDoS attack from highly resourced actors trying to make OCCRP’s reporting inaccessible". In our view, that indicates impactful reporting, so congratulations, achievement unlocked! 
2. Tudou Guarantee marketplace shuts down: Blockchain analysis firm Elliptic reports the Telegram-based marketplace has "effectively ceased transactions through its public Telegram groups". Tudou was one of the massive criminal marketplaces that forms part of the Southeast Asian scamming ecosystem. It processed over USD$12 billion over time and sold money laundering services, stolen personal data, scam infrastructure and deepfakes. Elliptic reckons its closure is related to the collapse of the Prince Group. Last week's newsletter discussed the arrest of Prince Group CEO Chen Zhi. 
3. FTC prohibits GM from giving up driver's data: The US Federal Trade Commission has issued an order prohibiting General Motors from "disclosing consumer's geolocation and driver behaviour to consumer reporting agencies". It's a five-year ban, after which GM will need to get affirmative express consent. But the order expires after 20 years, so then it's back to business as usual!

Sponsor Section

In this Risky Business sponsor interview , Tom Uren talks to Justin Kohler, Chief Product Officer at SpecterOps, about how attack paths exist in the seams between different identity or permissions management domains.

Shorts

Chinese SMS Blasters Arrested in Greece

Commsrisk reports how two Chinese nationals arrested in Greece had been driving around Athens with an SMS blaster sending phishing texts to all and sundry. Greece is the sixth European country to uncover car-based SMS blaster phishing. Other countries affected are France, Norway, the UK, Switzerland and Serbia. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last Between Two Nerds discussion Tom Uren and The Grugq continue part II of their discussion about what it takes to be a cyber power and look at how countries leverage companies. 

Or watch it on YouTube!

From Risky Bulletin :

Domain resurrection attacks come to Canonical's Snap Store: A threat actor is registering expired web domains in order to take over email servers, reset passwords on abandoned developer accounts, and publish malware on the Canonical Snap Store for Linux packages.

At least two developer accounts have been hijacked using this technique, also known as a domain resurrection attack , namely for Snap packages published using email addresses from storewise.tech and vagueentertainment.com .

According to Linux expert and former Canonical dev Alan Pope , the threat actor behind this campaign is a group he believes are located in Croatia.

[ more on Risky Bulletin ]

Germany seeks more hacking and surveillance powers for its intel service: German lawmakers are working on a new law that will grant the country's intelligence agency new and extensive hacking and surveillance powers.

The primary intent of the new law is to free up the Bundesnachrichtendienst (BND) from relying on the US National Security Agency (NSA) for threat information and bring its interception capabilities on par with other European countries, such as France, Italy, the Netherlands, and the UK.

According to a draft of the new law obtained by German media , the BND will have the power to intercept full internet communications and not just metadata as it is allowed today.

[ more on Risky Bulletin ]

DRAM price hikes set to impact firewalls too: The current price hikes and supply shortage of DRAM memory chips are expected to also impact firewall makers and the cybersecurity market.

DRAM is a crucial component for the manufacturing of modern next-gen firewalls, a staple in the cybersecurity defense of any major enterprise.

Investment advisory firm Wedbush says firewall companies will see thinner margins this year due to the rising DRAM costs. This will impact their bills of materials, with the extra costs being passed down to customers as product price increases. This will likely lead to lower sales, smaller profit margins, and weaker investor yields.

[ more on Risky Bulletin ]