Leveraging Proximity:
Why Special Operations Forces Physical Presence is the most underappreciated component of
the Cyber-Space-Sof triad
By Maj. Dalton Fuss, 18A NATO Special Operations-A
Read Time: < 8 mins
Space and cyber are two of the three elements of the triad that draw the most attention, but the critical role of
the last element—special operations forces’ (SOF) physical proximity—is commonly overlooked. An example
demonstrating the vital role of physical proximity is reflected in a Russian case study. An exposed intelligence
operation conducted by the Russian-speaking espionage organization, Turla Group, provides us with an
unclassified example of how SOF can utilize space-based assets to enhance the operational security of cyber
operations. This case study demonstrates that a small group of highly trained personnel can leverage their
physical location within a satellite’s coverage area to exploit space-based assets. By taking advantage of
unencrypted downlinks, Russian operatives were able to translate physical proximity into operational anonymity
for a separate intelligence operation that was conducted in cyberspace. We should examine this case study
closely to build upon these techniques and maximize the primary value proposition of SOF—the access and
placement of perpetually deployed elements.
How did the operations work?
Starting in 2007, cyber operatives from Turla Group began exploiting unencrypted downlinks from satellites.01 The Russian-speaking attackers
were operating within the coverage area of a satellite that was providing internet to ground-based computers
through an unencrypted downlink. The coverage area, or “footprint,” refers to the area on the Earth’s surface
that a satellite’s signal covers.02
By “listening” to downstream satellite traffic with a rudimentary antenna from within this footprint, the
attackers collected metadata on the computers involved.03 This action provided the attackers with the active IP addresses of those
computers relying on the satellite. The attackers reconfigured their own server to mimic these IP addresses and
trick the satellite into accepting the hacker’s computer as the legitimate user. This process is known as
“satlink hijacking.”04
Critically, the attackers did not access the legitimate user’s computer. Instead, they reconfigured their server
so that the satellite would perceive it as the legitimate computer, thereby creating a clone that also received
the information sent to the legitimate user. When the satellite sent data packets to the legitimate user’s IP
address, the attackers would also receive that information. After uncovering these active IP addresses within
the satellite’s footprint, Turla Group then configured their malware to transfer stolen data to these new IP
addresses.05
To spread this modified malware more efficiently, the Russians employed the worm called Agent.BTZ that has
historically been used to infect American and European government computers.06 In previous attacks, the worm quickly propagated
across entire networks and exfiltrated information to a separate network, a malicious code known as spyware.
Agent.BTZ was “not optimized for stealing data” with precision.07 The spyware lacked the sophistication required to determine high-value
information. To compensate for this shortfall, the malware exfiltrated mass amounts of information for later
processing
This malicious code was designed to clandestinely export data from the target network and then routed through
satellites to IP addresses that were employing unencrypted downlinks for internet access—a Wi-Fi café in the
Central African Republic, for example.08 Agent.BTZ commanded the infected computer to send the files to a
seldom-used or unopened port on the receiving end, which ensured that the legitimate user’s computer did not
notify the user of the inbound traffic.09
Russian operatives that were in the satellite’s footprint, cloned the legitimate user’s IP address, so they, too,
would receive the stolen data without being detected.10 To further hide their trail, they often used satellite internet
connection providers located in countries like Afghanistan, Lebanon, Libya, Niger, Somalia, and Zambia, which
helped hide the location of their command-and-control servers and avoid attribution.11
The Russian-speaking espionage organization hoped that no one would discover the malware. But, if the code were
uncovered, forensic analysts attempting to reveal the perpetrator would only be able to track it to legitimate
users employing satellite-based internet, not the Russian-speaking operatives.
After the operation, investigators obtained a sample of Agent.BTZ from a government computer. Digital forensic
analysts at the Moscow-based Kaspersky Labs dissected this malware through dynamic analysis in an isolated
environment. Fortunately, because the operatives employed poor tradecraft and reused the same techniques and
procedures from previous operations, Kaspersky Labs concluded that Turla Group was responsible for this attack.
Analysts recognized programming patterns that were consistent with Turla Group’s previous attacks. Even with
this information, investigators were unable to identify the exact location of the attacker’s servers. All they
knew for sure was that the attackers were operating somewhere within the satellite’s footprint.
Exploiting the adversary: what can we steal from the russians?
Detailed lessons from this operation need to be discussed through classified channels. However, at the
unclassified level, it is possible to identify ways to leverage physical proximity to create options for
decision-makers and generate dilemmas for adversaries.
How the attacks worked:
Attackers operate within the coverage area of a satellite that provides internet to ground-based computers
through an unencrypted downlink. The coverage area, or “footprint,” refers to the area on the Earth’s surface
that a satellite’s signal covers. By “listening” to downstream satellite traffic with a rudimentary antenna from
within this footprint, the attackers collected metadata on the computers involved. This action provided the
attackers with the active IP addresses of those computers relying on the satellite. The attackers reconfigured
their own server to mimic these IP addresses and trick the satellite into accepting the hacker’s computer as the
legitimate user. This process is known as “satlink hijacking.
Emphasize how the physical proximity can enhance SOF’s role in the triad in courses like
the army's space cadre basic course.
Classified case studies in this course should demonstrate how space assets can support SOF in semi-permissive or
denied environments. For example, multidomain operations require SOF to operate in areas where the
electromagnetic spectrum is contested and vulnerable. In this environment, space assets can obfuscate the exact
location of the SOF element in the same way that the Turla attackers could remain hidden anywhere within a
satellite’s footprint. In the same way, a SOF unit could receive unencrypted messages from anywhere within a
satellite’s footprint
Within army special operations forces, increase the number of billets for the army cadre
additional skill identifier.
The Turla Group only has a small number of qualified attackers with the technical skills needed to conduct the
attacks described above. SOF must ensure that it has enough qualified personnel to perform these tasks. At a
minimum, the special operations community should cultivate proficiency in space operations. Even a rudimentary
understanding of orbital mechanics, GPS constellations, and electromagnetic spectrum fundamentals will make SOF
personnel more effective by encouraging a more integrated approach to responding to threats. Courses like the
Army’s Space Cadre Basic Course provide overviews of these technical competencies. Commanders can
institutionalize the technical knowledge of space operations within their formations by coding these SOF
personnel billets as Space Cadre. This additional skill identifier can be designated at the O-6 (colonel) level
in coordination with the Army’s Space and Missile Defense Command. While this is a small step to building the
required skillset within SOF, this credential will encourage service members to attend the schools needed to
perform their assigned roles.
Send a special operations expert to lecture at space and cyber professional military
education courses to outline how SOF contributes to the triad operationally
Discussions about the triad frequently center on technical solutions and specialized devices that drive
operational outcomes without adequately emphasizing the human dimension. The United States Special Operations
Command (USSOCOM) should send lecturers to space and cyber professional military education courses to address
this gap. This program would allow SOF personnel to articulate their roles and responsibilities within the triad
explicitly. Enhanced comprehension regarding SOF’s role in irregular warfare, especially among space and cyber
experts, could significantly clarify how their contributions support SOF units in the field.
Conclusion
The Russian Turla group leveraged unencrypted satellite communications to obfuscate their location and intercept
critical data. This provides a clear example of how physical proximity within a satellite’s footprint can be
transformed into a tool for anonymity and operational security. This Russian operation also demonstrates the
potential for SOF to conduct similar operations with only basic equipment. SOF should replicate this capability
of hijacking satellite downlinks with equipment that reduces their digital signature, such as a locally sourced
laptop, a portable antenna, and necessary cables. Adopting this approach would necessitate a shift towards
greater autonomy and reliance on mission command principles, allowing SOF units to operate independently without
direct oversight or constant communication. This strategy would transform geographical location and satellite
proximity into operational assets, enhancing the effectiveness of the SOF-Space-Cyber Triad in national security
efforts. The strategy would suggest a leaner, more agile operational model that maximizes stealth and minimizes
detection risk.