Go back

Was Starlink hacked in Ukraine? Interview with Volodymyr Stepanets, the Initiative “Narodnyi Starlink”

We performed an interview with the founder of the “Narodnyi Starlink” initiative, Mr Volodymyr Stepanets. “Narodnyi Starlink” - is a transcription of the Ukrainian naming of the project, which can be roughly translated into English as “People’s Starlink”. The project itself is involved in refurbishing, adapting, repairing, and providing technical support, as well as procuring and upgrading satellite communication terminals from SpaceX's Starlink for the needs of the Armed Forces of Ukraine and other defenders of Ukraine. Mr Stepanets provided his comments regarding a recently published report by SSU (Security Service of Ukraine) with a mention of hacker attack on Starlink and shared information about first Starlink handbook for military users.

September 7, 2023

Mr Stepanets, could you please tell us about your initiative: how did it all start, and what is your current focus?

At the beginning of the invasion, I, like many other volunteers, was deeply involved in various activities aimed at finding effective ways to help Ukraine's defenders and refugees. I had a significant background in volunteering dating back to the 2014 invasion, which provided me with some ability to anticipate the situation. I realized that my contribution should leverage my expertise. Currently, I am a Senior Systems Architect with over 35 years of experience, a Microsoft Certified Trainer since 2004, and I have achieved positive results in previous volunteer projects involving the implementation of IT technologies for military use.

Shortly before the russian invasion, I started to be  interested in Elon Musk's innovation - Starlink satellite communication. Initially, I saw it as a convenient solution for staying connected while traveling. However, I also recognized the critical importance of reliable communication for the military, based on my previous experiences with satellite communication solutions like Viasat and others. These communication tools had successfully countered cyber threats during the early stages of the invasion.

So, I started by personally purchasing the first sets of Starlink equipment and began learning how to use and deploy them on the frontlines. I managed to establish contact with SpaceX's management and obtained permission to buy an unlimited quantity as an individual, which came at a lower price than for organizations. This also provided an opportunity to address certain issues with SpaceX in the interests of the Ukrainian Armed Forces.

The next steps involved extensive procurement, logistics, distribution, and complementing the equipment with other necessary components. There were numerous questions from both the military personnel and technical experts. I conducted research and provided answers. It was like daily blackbox reverse engineering. I began creating manuals and conducting seminars, both open and closed, for the military personnel, and started building a Knowledge Base to support them. I even authored the first guide for an educational course.

In reality, I had to juggle multiple tasks simultaneously, from finding alternatives to cardboard boxes for transporting equipment and manufacturing tactical cases for special forces to diagnostics, repairs, educational materials, and support. We also had to develop various solutions for modifications and engage in deep reverse engineering. I found like-minded individuals, and a strong team began to take shape.

We built up the support services for Starlink within the Ukrainian Armed Forces, the State Border Guard Service, and other defense structures. Currently, our team mainly works in the areas of education, support, repair, equipment modification and adaptation, incident prediction and response, and cybersecurity improvement. To achieve all of this, we had to develop our own software and even some almost SaaS solutions. It can be incredibly challenging, but we are doing what almost no one else on the planet is doing. This is also inspiring when fatigue sets in.

All of this work is still done on a volunteer basis, while each of us has other jobs that have never been put on hold. It's not easy, but over the past year and a half, we have not stopped once.

How large is your team?

If we're talking about the core team, it may be less than ten people. I'm sorry, but for security reasons, I can't provide an exact number. However, if we consider all the volunteers involved in our projects, there are definitely dozens, if not more, of individuals contributing to various engineering and administrative tasks.

“Narodnyi Starlink” is also a community, both open and closed. For example, the “Narodnyi Starlink” Facebook group is visited by around 130,000 people every month, although the number of registered members is about ten times less. Military personnel are understandably less inclined to actively register in public communities. We have closed, non-public communities, including partner groups, with various numbers of members, ranging from tens to thousands of people.

Recently, the Security Service of Ukraine (SSU) published a report detailing an attempt by hackers to access data from a Starlink terminal. Could you explain from a technical perspective what this is all about?

Yes, this is the first documented case in history of malware specifically created to retrieve all available data from Starlink terminals. The SSU published the corresponding report on August 8, 2023.

The malware itself, referred to as "STL" as the fourth component among all documented in the technical report, essentially functions as a gRPC scanner attempting to read all available data from the service hosts of the Starlink terminal and Wi-Fi router on the local network. These service hosts currently have static IPv4 addresses: the terminal - and the router - Most of the data acquired in this way is of limited value to typical civilian attackers. However, if it's data from a communication device of a combat unit...

At present, the attackers may have gained access to the general configuration of the terminal, telemetry data, information about the Wi-Fi/LAN network (including SSID, BSSID, and MAC addresses of all router interfaces), and identifiers of network devices. In the case of active use by the terminal operator of the "Allow access to the local network" mode, which is not enabled by default, even the current geographic coordinates of the terminal may have been compromised. These are critically valuable pieces of intelligence in wartime.

Regarding the creation of the malware itself - from a technical standpoint, it's not a complex or particularly surprising step. There are already many open-source projects with even more sophisticated functionality. So, for the authors of this malware, it was relatively straightforward to develop and test the necessary code. Furthermore, the next step for hackers like these is likely to be the creation of code capable of actively interfering with the terminal's operation. Unfortunately, this is a very real threat at the moment - all functions that currently don't require user-authorized access, such as parking the phased array antenna, rebooting the router or terminal, etc., are at elevated risk of interference if access to the terminal's service host is not blocked at the network level.

In my personal opinion, SpaceX experts have understood for quite some time that the current design of their equipment has certain conceptual vulnerabilities. It's very challenging to create a completely secure device with such functionality while adhering to the principle of "it should work even for a layman and be unhackable". However, I have no doubt that SpaceX will find ways to improve the level of protection.

We informed the relevant experts on the Starlink team as soon as we received information about this incident. We also provided our recommendations for the most effective immediate steps to enhance security, as determined by our team. The Starlink team has quickly and effectively responded to our requests and suggestions on numerous occasions in the past year. Among these were highly effective measures to protect against enemy electronic warfare (EW) tools and valuable cybersecurity features for Ukrainian defenders. I'm confident that this time they will come up with a good and elegant solution to this "ground-based" problem.

I personally find it reassuring that when it comes to "airborne" (between the terminal and the satellite) and "space-based" (between satellites in the constellation) issues, the Starlink team has performed exceptionally well. They've truly developed an engineering marvel.

Do you plan to expand your activities to other countries, as satellite communication is gaining popularity, and your expertise could be useful to partner countries?

Our entire team is united by the desire to accelerate victory and liberate our country from the aggressor's forces. This is our goal, and it has no commercial component. However, we also understand that we have gained a high level of expertise in several areas, which could be valuable to other countries. Therefore, we are currently exploring various possibilities, including financing for our projects and activities.

For example, our team spends thousands of dollars of our own funds every month just on repairing terminals. Small donations from people are not always sufficient to cover the necessary budgets. Dealing with large donations and donors can be quite challenging these days, or perhaps we just aren't very skilled at soliciting donations. Therefore, we believe that monetizing our team's expertise is a viable and necessary step, and we have some ideas in that regard.

Recently, we made our Starlink handbook for military users publicly available in the Ukrainian language. Essentially, it's the world's first guidebook for Starlink, spanning nearly three hundred pages. We are already working on the next edition. Japanese, Romanian, and Polish armed forces have shown interest in Starlink technology, and there will be others. We are ready to consider proposals for publishing the handbook in different languages or adapting it to specific requirements if it helps improve funding for our volunteer projects and brings us closer to victory.

We also have our unique specialized software solutions for equipment diagnostics and user support. For instance, we've developed the first alternative diagnostic application for Starlink terminals, which is unique on the planet. I'm confident that such solutions will find utility in various places.

Lastly, we possess a unique and substantial experience in the military application of Starlink in modern warfare conditions. This could be highly valuable to the armies of Ukraine's partner countries, especially when dealing with a technologically advanced adversary armed with a multitude of electronic warfare, cyber capabilities, and potential that should not be underestimated.

Subscribe to our bi-weekly Linkedin newsletter


You can support TheSIGN by becoming our SATELLITE. Click to learn more about sponsorship.