A false air alert on the air of a number of Russian TV channels on the morning of Tuesday, February 28, 2023, occurred due to the interception of a signal from the Yamal-402 satellite owned by the Gazprom Space Systems holding (part of the Gazprom group), the source told Vedomosti among the partners of the hacked TV channels and confirmed by two sources close to a major satellite television operator.
Alarm messages with recommendations to immediately proceed to shelters appeared on the air of TNT4, Subbota and 2×2 TV channels of the Gazprom-Media Entertainment Television holding (GPM RTV). Information about the broadcast hacking incident was also confirmed by the Ministry of Emergency Situations in its Telegram channel.
A spokesman for GPM RTV told Vedomosti that the alarm message “is not true and appeared as a result of an attack on the infrastructure of a satellite operator,” but he did not give the name of this operator. “Such satellite attacks are becoming part of our daily routine,” the source said. “At the moment, our broadcast is operating as usual according to the broadcasting schedule.”
Shortly after the announcement of the false alarm, the GPM RTV TV channel distribution support department sent a letter to its partners, in which it said that the false alarm was due to the “signal substitution” of the Yamal-402 satellite, which broadcasts at 55 degrees east longitude, told Vedomosti » source among GPM RTV partners. “At the moment, the substitution has been eliminated, but there is a high risk of a repetition of sabotage,” the letter read, the text of which was read by Vedomosti.
Information about problems in the broadcasting of the Yamal-402 satellite was confirmed to Vedomosti by two sources close to one of the major satellite TV operators.
“There was an interception of a signal from a satellite using a powerful antenna from the Earth,” one of the sources said. According to him, the antenna was located on the territory of Ukraine. It is impossible to say unequivocally where exactly the interception of the signal came from – it is possible to interrupt the satellite signal in this way from any point in the coverage area of \u200b\u200bthe device, objected another interlocutor close to one of the major satellite operators.
“The signal of the TV channels goes up to the satellite with certain technical parameters and power. At the same time, the satellite does not have the ability to identify from which point this signal is coming. Accordingly, if using a third-party antenna to raise a signal to the satellite with the same parameters as the signal of TV channels, but with greater power, then the signal may be substituted, ”he explained the principle of interception. According to him, with the proper level of technical work, such an impact on a particular satellite may be repeated in the future.
“Strictly speaking, this is not about interception, but about signal substitution,” Sergey Pekhterev, shareholder of the satellite communications operator AlegroSky, commented on the information. According to him, the satellite works like a mirror – it receives a signal from the Earth of a certain power and broadcasts it to the entire coverage area. The International Telecommunication Union (ITU) regulates the power of such signals so that they do not interfere with other radio services. “If the attackers give their own, more powerful signal, it will simply crush the signal that the television center transmits, and this more powerful signal will spread to the entire satellite coverage area,” the expert explained.
According to him, to protect the signals of TV channels are encrypted, but with varying degrees of encryption, which determines how difficult it is to replace their signal on the satellite. But such actions to change the signal are definitely possible in the future, the expert believes.
“To replace this signal, a large antenna with a powerful transmitter was used, teleports with such stations are located both in Russia and in neighboring countries,” he answered the question of whether the Yamal-402 signal could have been substituted from the territory of Ukraine. As follows from the information on the Gazprom Space Systems website, the Yamal-402 coverage area includes the territory of Russia, as well as partially Ukraine, Belarus, Finland and the Baltic countries.
In 2022, the media were in the top five most attacked structures, said Andrei Kurilo, information security adviser to FBK and FBK CyberSecurity. At the same time, information security (IS) requirements are traditionally poorly implemented on TV channels and radio stations, he noted. “There are practically no specialists directly responsible for the implementation of information security measures, they are performed by employees of IT departments, or even specialists who come in outsourcing mode,” Kurilo knows.
It is most likely that cyberattacks on the broadcast infrastructure achieved their goal due to the lack of sufficient protection measures, Mikhail Sergeev, Lead Engineer of CorpSoft24, agrees with him. Attacks on TV channels, he said, can be implemented in various ways. For example, attackers can exploit vulnerabilities in programs that are used to broadcast a signal, or attack network devices that control its transmission, he explained. Phishing or social engineering is also possible, when an attacker gains access to the accounts of TV channel employees and uses them to hack the broadcast system, the expert knows.
Experts interviewed by Vedomosti agree that these attacks are political in nature and linked to the NVO in Ukraine. After attacks on media sites, attacks on TV channels and radio stations were only a matter of time, Anton Kuzmin, head of the Innostage CyberART cyberthreat center, notes.
Such attacks are perceived painfully by society, since for many this is the main channel for obtaining information, Alexey Novikov, director of the Positive Technologies security expert center, added. If organizations do not identify the causes and methods of penetration and do not control what is happening in the IT infrastructure, Russians will begin to regularly encounter inaccurate content in TV and radio broadcasting systems, which will be difficult to distinguish from the real one, Kuzmin believes.
Among the possible solutions to the problem is increased control over the cybersecurity of channels and radio stations by regulators, Sergeev said. In addition, TV channels and radio stations can use more advanced security methods such as intrusion detection systems (IDS), multi-factor authentication and security monitoring systems, he listed.
Vedomosti sent a request to the Ministry of Digital Development.