This session, presented by Clemence Poirier from the Center for Security Studies (CSS) at ETH Zürich, analyzed a real-world incident involving the disruption of the BabyTV channel. The presentation explored whether the incident constituted a cyberattack or electronic warfare, examining the technical details, broader context, and resulting implications.
What Happened to BabyTV?
On March 28, 2024, the typical cartoon programming on the BabyTV channel was unexpectedly replaced by Russian nationalist content, specifically Oleg Gazmanov’s “Go, Russia!” music video featuring military imagery. The disruption occurred again on April 17, 2024, lasting for 13 minutes. This time, the broadcast experience varied by country, with some receiving both altered sound and images, while others saw only the images without sound.
Subscribers in the Netherlands, Portugal, Belgium, and Sweden were confirmed to be affected, with likely impact in other European nations as well. Specific distributors carrying the BabyTV feed, such as Dutch operator Ziggo and Ukrainian operator Espresso TV, experienced the disruption.
Was it a Cyberattack?
Initial news reports following the March incident widely characterized it as a sophisticated cyberattack targeting a Eutelsat satellite. However, Eutelsat later clarified to Portuguese media in April that the disruption was caused by radiofrequency interference, not a direct cyberattack on their satellite infrastructure.
Cyber vs. Electronic Warfare
Understanding the distinction between these two domains is crucial for accurate analysis:
- Electronic Warfare (EW): Uses the radiofrequency spectrum to interfere with satellite operations (e.g., jamming, spoofing). It is fundamentally based on Physics.
- Cyber Operations (in Space): Employs software and network techniques to interfere with or control space systems, including ground stations, satellite command links, and data links. It is fundamentally based on Computer Science.
Why the Confusion?
Several factors contribute to the common mischaracterization of incidents like the BabyTV disruption. Technical misunderstandings often lead to the broad application of terms like “hacking,” obscuring the specific methods used. Historical reasons play a role, as traditional espionage and interference techniques predate the digital era. Furthermore, the increasing digitalization of space systems blurs the lines, as modern satellites rely heavily on digital components.
Theoretically, the observed effect on BabyTV could be achieved through purely cyber means, purely electronic means, or a combination. EW often requires a reconnaissance phase to gather technical details (frequencies, power levels, ground station locations). This reconnaissance could involve cyber techniques (like OSINT, network probing, or ground system compromise), even if the final disruptive effect is achieved electronically.
Context and Hypotheses (February-March 2024)
Events leading up to the BabyTV incident provided context. On February 19, 2024, the broadcast feed of the Ukrainian channel EspressoTV was hijacked (method unclear) to display anti-Ukrainian footage. While no satellite targeting was reported, the effect resembled the later BabyTV disruption, possibly serving as reconnaissance.
Two main hypotheses were considered regarding the source of interference:
- Hypothesis 1: Luch Olymp 2 RPO: A Russian satellite (Luch Olymp 2), known for Rendezvous Proximity Operations (RPO) involving close approaches for potential eavesdropping or inspection, was operating near a Eutelsat satellite between January and March 2024. However, no direct evidence linked this satellite’s activities to the BabyTV jamming.
- Hypothesis 2: Ground Station Interference: Russia possesses an extensive network of ground stations used by its intelligence services (GRU and FSB) to intercept satellite communications. The GRU’s “Zvezda” network has reportedly been repurposed for electronic warfare. While initially unclear, technical data later indicated the involvement of such ground stations.
The Attacks Detailed (March 28 & April 17)
On March 28, the BabyTV broadcast on Eutelsat was hijacked via uplink jamming, displaying Russian propaganda. Simultaneously, multiple Ukrainian channels broadcasting via an SES satellite also experienced interference attributed to jamming.
On April 17, the BabyTV signal on Eutelsat was jammed again for 13 minutes. Concurrently, the Ukrainian channel Freedom TV, also on Eutelsat, had its content replaced due to similar jamming interference.
Co-location and Accidental Targeting
Analysis revealed that in early 2024, BabyTV was broadcast on the exact same frequency via Eutelsat as four Ukrainian channels (Dlia Ciebie, Espresso TV, Freedom, Dim). This co-location highlights the potential for satellite broadcasters like BabyTV to become accidental targets or suffer collateral damage during EW operations aimed at other channels using the same frequency or originating from nearby orbital slots.
Diplomatic and Regulatory Response (ITU Complaint)
Following the incidents, diplomatic and regulatory actions ensued. Between April and May 2024, France contacted Russia regarding the interference affecting Eutelsat. Russia acknowledged receipt but denied any interfering emissions originated from its territory.
In June 2024, France, Luxembourg, Sweden, the Netherlands, and Ukraine jointly filed a formal complaint with the International Telecommunication Union (ITU) concerning harmful interference. During the ITU Radio Regulations Board (RRB) meeting in August 2024, France (representing Eutelsat) presented technical data identifying the interference source as large ground stations located in Moscow, Kaliningrad, and Pavlovka, Russia. Russia submitted a delayed counter-complaint about interference affecting its own satellites but failed to provide technical data or use the standard ITU reporting system, leading an RRB member to suggest it was a retaliatory filing triggered by the geolocating evidence presented by the complainants.
Aftermath (October 2024)
The Dutch National Cyber Center later assessed the BabyTV incident as likely collateral damage stemming from EW operations targeting Ukrainian channels. They also considered it potentially a rehearsal for interference during the Paris Olympics. As a mitigation measure, BabyTV’s broadcast configuration was subsequently changed (different frequency, symbol rate, FEC) to avoid overlap with the targeted Ukrainian channels.
Frameworks for Analysis
Analyzing such complex incidents benefits from structured frameworks:
- ESA SPACE-SHIELD: The European Space Agency’s framework mapping space attack tactics and countermeasures.
- Aerospace Corporation SPARTA: The Space Attack Research & Tactic Analysis framework, offering a detailed matrix of tactics and techniques across various attack phases.
SPARTA Analysis of the BabyTV Incident
Applying the SPARTA framework provides a structured view of the likely stages and techniques involved in the BabyTV incident:
| Phase | Tactic | Technique (Sub-technique) | Explanation Applied to BabyTV |
|---|---|---|---|
| Reconnaissance | Gather Spacecraft Communications Information | Communications Equipment (REC-0003.01) | Identify target frequency (Eutelsat/BabyTV/Ukrainian channels), modulation, symbol rate, FEC. |
| Commanding Details (REC-0003.02) | Identify satellite location in orbit. | ||
| (Potential) | EspressoTV attack (Feb 18) could represent prior reconnaissance/testing. | ||
| Resource Dev. | Acquire Infrastructure | Ground Station Equipment (RD-0001.01) | Utilize existing large ground stations (Moscow, Kaliningrad, Pavlovka) capable of transmitting interfering signals. |
| Initial Access | (Implied) Compromise Ground System | (Low Confidence) | Assumed access/control over the interfering ground stations by the attacker. |
| Execution | Jamming | Uplink Jamming (EX-0016.01) | Transmit interfering signals on the target uplink frequency to disrupt the legitimate broadcast signal received by the satellite. |
| Impact | Disruption / Denial / Degradation | Denial (or Misdirection) (IMP-0001.01 / IMP-0001.02) | Denial of original BabyTV broadcast; Replacement with propaganda. |
| Side-Channel Attack (?) (IMP-0007) | SES/Eutelsat satellites impacted. Cable operators (Ziggo, EspressoTV) impacted. Subscribers affected. Specific TV channels affected. |
This analysis underscores that while the impact was broadcast disruption, the identified method was Electronic Warfare (specifically uplink jamming) originating from identified Russian ground stations. This was likely preceded by a reconnaissance phase potentially involving OSINT or other cyber-related techniques to gather necessary technical parameters for the EW operation.
(For more details, refer to the full article by Clemence Poirier on the ETH CSS website.)
Next: 07 Space Cybersecurity, OT Security, and Final Insights