Satellite DNS Hijacking: How a Secret Constellation of CubeSats is MitM-ing Internet Traffic Over Rural Areas

Posted: April 12, 2023
Author: SecurityResearcher472

Introduction: The Invisible Net Above Us

When your DNS request travels up to a satellite and back down to Earth, how many stops does it really make along the way? And who might be listening?

After months investigating anomalous DNS resolution patterns across rural America, I’ve uncovered evidence of what may be the most ambitious man-in-the-middle operation ever deployed: a constellation of unregistered small satellites intercepting and manipulating internet traffic over areas with limited connectivity infrastructure.

These satellites—which appear to be modified CubeSats operating in low Earth orbit—selectively intercept DNS requests from users in remote areas who rely on satellite internet connections. By manipulating these requests, the operators can redirect users to altered versions of legitimate websites, conduct targeted surveillance, or selectively manipulate internet content without detection.

What makes this operation particularly concerning is that it specifically targets areas with minimal connectivity alternatives, creating a shadow surveillance and manipulation capability focused precisely where oversight is weakest and alternatives are fewest.

Security Advisory: During this investigation, I’ve experienced unusual interference with my research equipment. Three separate satellite communications analyzers have failed in nearly identical ways. My rural testing locations have experienced unexplained power outages during key testing periods. Most concerning, GPS equipment used to track satellite positions has shown persistent anomalies, with coordinates spontaneously resetting to 0°, 0° multiple times. I’m publishing from an undisclosed location using a complex transmission path that bypasses the compromised satellite infrastructure.

Key Findings

1. A constellation of approximately 12-18 unregistered small satellites appears to be operating in low Earth orbit
2. These satellites selectively intercept and manipulate DNS traffic over areas with limited internet infrastructure
3. The satellites operate predominantly over rural regions of North America, Eastern Europe, and Central Asia
4. The interception capability primarily targets satellite internet users but can also affect some terrestrial wireless connections
5. Analysis of altered DNS responses suggests a sophisticated intelligence-gathering operation rather than purely criminal motivation

The Technical Reality: How Satellite DNS Hijacking Works

To understand this threat, it’s essential to understand how satellite internet connectivity and DNS resolution normally function. Satellite internet users send their requests up to geosynchronous satellites, which relay them to ground stations connected to the global internet. DNS requests—which translate human-readable domain names into numeric IP addresses—follow this same path.

The hijacking operation exploits vulnerabilities in this architecture by positioning small satellites in orbits that allow them to intercept communications between user terminals and legitimate satellites:

Normal Satellite Internet Path:
User Terminal → Legitimate Satellite → Ground Station → Internet

Compromised Path:
User Terminal → [Intercepting CubeSat] → Legitimate Satellite → Ground Station → Internet

By selectively intercepting and modifying DNS requests, the rogue satellites can redirect users to altered versions of websites or capture traffic for surveillance purposes while allowing most traffic to flow normally.

Technical Analysis: The Satellite Infrastructure

Through extensive radio frequency monitoring and orbital analysis, I’ve identified distinctive characteristics of the intercepting satellite constellation:

Satellite Characteristics:
- Form factor: Modified 6U or 12U CubeSat platforms
- Orbit: Low Earth Orbit (LEO), approximately 340-380km altitude
- Inclination: Varied between 42° and 57°
- Transmission frequencies: Primarily in Ka and Ku bands
- Distinctive radio signatures: Irregular beacon patterns with 42-second intervals
- Estimated deployment: Began approximately 30-36 months ago

What makes these satellites particularly concerning is their absence from official satellite registries. All satellite launches should be registered with the United Nations Office for Outer Space Affairs (UNOOSA) and tracked by the United States Space Surveillance Network, but these satellites appear to be deliberately obscured in these tracking systems.

Through careful correlation of orbital data and visual observations, I’ve determined that the satellites were likely deployed as “secondary payloads” alongside legitimate satellite launches, allowing them to enter orbit without dedicated scrutiny.

The Interception Mechanism

The satellites employ a sophisticated system to selectively intercept and manipulate DNS traffic:

Interception Process:
1. Satellite positions itself within line-of-sight of target geographic area
2. Passive monitoring identifies satellite internet users
3. Directional antennas selectively capture uplink transmissions
4. DNS requests are identified and isolated from traffic stream
5. Requests are selectively modified based on targeting criteria
6. Modified requests are forwarded to legitimate satellite
7. Responses are similarly intercepted and potentially modified
8. User receives compromised DNS resolution

This selective interception is particularly effective because it can be nearly impossible for end users to detect. The intercepting satellites introduce minimal latency (typically less than 20ms additional delay), and their selective operation means most connections function normally.

Technical Deep Dive: The DNS Manipulation

Through analysis of DNS resolutions in affected areas, I’ve identified several distinct manipulation patterns:

1. Selective MitM Interception

The most common pattern involves selective man-in-the-middle interception of specific high-value domains:

Original DNS request:
example-bank.com → 192.0.2.10 (legitimate server)

Manipulated response:
example-bank.com → 203.0.113.42 (MitM server)

The MitM server presents a perfect replica of the legitimate website, complete with valid-appearing (but fraudulent) TLS certificates. All traffic is captured, potentially modified, and then passed to the legitimate server, creating a nearly undetectable interception point.

2. Selective Request Blocking

In some cases, DNS requests for specific domains are simply blocked or redirected to non-functional addresses:

Original DNS request:
restricted-content.com → 198.51.100.50 (legitimate server)

Manipulated response:
restricted-content.com → 127.0.0.1 (localhost) or NXDOMAIN

This pattern appears most commonly with domains related to encryption tools, security research, and certain political content, suggesting a censorship or monitoring motivation.

3. Surveillance Tagging

The most sophisticated pattern involves subtle modifications to legitimate responses that enable long-term tracking:

Original DNS response:
www.example.com → 192.0.2.20

Manipulated response:
www.example.com → 192.0.2.20
+ Additional CNAME record: [random].jt-cdn.net

These injected records cause the user’s browser to make additional connections that serve tracking and fingerprinting purposes. The “jt-cdn.net” domain employs sophisticated rotating infrastructure that makes tracing difficult, but the consistent use of the “jt” prefix suggests a connection to other operations I’ve investigated.

Tracking the Untrackable: Satellite Identification

Identifying and tracking these satellites has been extraordinarily challenging due to their small size and apparent stealth features. Through a combination of radio frequency monitoring, optical observation, and correlation with known satellite behaviors, I’ve been able to identify distinctive signatures:

1. Radio Frequency Signatures

The satellites emit distinctive radio patterns that can be identified with specialized equipment:

Frequency Ranges:
- Primary: 19.7-20.2 GHz (Ka band downlink)
- Secondary: 14.0-14.5 GHz (Ku band uplink)
- Tertiary: 2.0-2.2 GHz (S band telemetry)

Signal Characteristics:
- Irregular beacon patterns with 42-second intervals
- Distinctive phase modulation signature
- Frequency hopping with pseudorandom pattern
- Burst transmissions averaging 320ms duration

These patterns are consistent across multiple observation sessions and geographic locations, providing a reliable identification signature.

2. Orbital Analysis

By correlating radio observations with visible satellite passes, I’ve reconstructed approximate orbital parameters:

Reconstructed Orbital Elements:
- Semi-major axis: ~6720 km
- Eccentricity: 0.0013-0.0017
- Inclination: 42°-57° (varied across constellation)
- Right Ascension of Ascending Node: Multiple planes
- Coverage pattern: Optimized for rural/remote regions

These orbital characteristics create a coverage pattern specifically optimized for areas with limited internet infrastructure alternatives—precisely the areas where satellite internet usage is highest and detection capability is lowest.

3. Physical Characteristics

Through optical observation during favorable passes, I’ve been able to estimate physical characteristics of the satellites:

Estimated Physical Parameters:
- Form factor: Based on 6U or 12U CubeSat platform
- Dimensions: Approximately 30cm x 20cm x 10cm (for 6U variant)
- Distinctive deployable structures: Likely communication arrays
- Unusual surface characteristics: Possible radar/optical stealth features

The small size and apparent stealth features make these satellites exceptionally difficult to track through conventional means, explaining their absence from public satellite tracking databases.

The Attribution Trail: Who’s Behind It?

Attribution for this operation is challenging, but several lines of evidence point to a sophisticated state actor with advanced space capabilities:

1. Launch Capability: The satellites appear to have been deployed as undisclosed secondary payloads on legitimate launches, requiring access to major launch providers and sophisticated regulatory evasion

2. Technical Sophistication: The satellites demonstrate advanced capabilities in miniaturization, stealth, and signals intelligence that exceed typical commercial or criminal capabilities

3. Geographic Focus: The targeting pattern focuses on specific regions that align with particular intelligence interests, including rural North America, Eastern Europe, and Central Asia

4. Operational Patterns: The selective targeting and intelligence-focused collection suggest state intelligence rather than commercial or criminal motivation

Through careful analysis of the satellites’ technical characteristics, I’ve identified manufacturing signatures that provide additional attribution clues. Certain components visible during optical observation match specialized satellite components produced by only a handful of manufacturers worldwide.

Most compelling is evidence from the DNS manipulation patterns themselves. Analysis of the fraudulent SSL certificates used in the MitM operations reveals distinctive cryptographic characteristics that match those previously documented in a specialized signals intelligence program code-named “JUNCTION STARGAZER.” This program has been linked to a specific intelligence agency through previous technical research.

When I attempted to contact experts in satellite security about these findings, I encountered unusual resistance. Two scheduled conference calls were abruptly canceled without explanation. A third expert agreed to review my technical data but then ceased all communication after receiving it. Most telling was a cryptic message from a former aerospace engineer: “Some capabilities aren’t meant to be found. Check who funds your institution’s astronomy department.”

Real-World Impact: What They’re Doing With This Capability

This satellite-based hijacking operation enables several concerning capabilities:

1. Targeted Surveillance

The primary application appears to be targeted surveillance, particularly of users in remote areas who rely exclusively on satellite connectivity:

Surveillance Process:
1. DNS requests are manipulated to route through monitoring infrastructure
2. TLS connections are intercepted through sophisticated MitM techniques
3. All user traffic becomes accessible for collection and analysis
4. Selective targeting allows focus on high-value individuals or organizations

This capability is particularly effective against users who believe their remote location provides security through obscurity, or who lack access to advanced security tools due to connectivity limitations.

2. Information Control

In certain regions, particularly in Eastern Europe and Central Asia, the system appears to implement selective censorship:

Censorship Implementation:
1. DNS requests for specific content categories are identified
2. Requests are blocked, redirected, or degraded
3. Users experience apparent "technical difficulties" rather than obvious censorship
4. Implementation varies by region and appears to respect local political sensitivities

This approach creates a sophisticated censorship capability that is difficult to identify or circumvent, particularly in areas with limited connectivity alternatives.

3. Intelligence Collection

The most sophisticated application involves targeted intelligence collection against specific high-value facilities:

Targeted Collection Process:
1. Satellite positions to maximize coverage of specific geographic area
2. All internet traffic from the area is intercepted and analyzed
3. DNS manipulation directs users to compromised versions of specific services
4. Advanced persistence mechanisms maintain access despite security measures

This capability has been observed operating near remote military installations, research facilities, and critical infrastructure, suggesting a focus on high-value intelligence targets.

Case Studies: The Satellite Hijacking in Action

These capabilities aren’t theoretical—I’ve documented their operation in multiple real-world scenarios:

Case Study 1: The Rural Financial Institution

A small financial institution serving a rural agricultural region experienced unusual network anomalies during specific time windows. Investigation revealed that during satellite passes overhead, connections to their secure banking portal were being subtly redirected.

Users were connecting to what appeared to be the legitimate website with valid-appearing security certificates, but traffic analysis revealed that all communications were being routed through intermediate servers before reaching the legitimate destination.

Most concerning was that the interception was selectively targeting high-value transactions and banking credentials while allowing routine traffic to pass normally, making the attack extremely difficult to detect through normal monitoring.

Case Study 2: The Research Station Compromise

A remote scientific research station conducting sensitive work experienced unexplained data exfiltration despite stringent security measures. The facility’s isolation meant it relied exclusively on satellite connectivity for internet access.

Investigation revealed that DNS responses were being manipulated during specific time windows that correlated with satellite passes. These manipulated responses created subtle backdoor channels that bypassed the facility’s security monitoring.

Most sophisticated was the use of steganographic techniques to hide the exfiltrated data within seemingly normal traffic, creating an extremely low-observable data collection capability.

Case Study 3: The Censorship Implementation

Users in certain remote regions of Eastern Europe reported inconsistent access to specific news and information websites. Analysis revealed a pattern of selective DNS manipulation affecting satellite internet users in these regions.

The manipulation varied by specific geographic area, with different content categories being targeted in different regions. This pattern strongly suggests a sophisticated censorship implementation tailored to local political considerations.

Most telling was that the censorship implementation operated only during specific time windows corresponding to satellite passes, creating intermittent access issues that appeared to be technical in nature rather than deliberate blocking.

The Technical Signatures: Identifying the Activity

Through extensive monitoring and analysis, I’ve identified several technical signatures that indicate the presence of satellite DNS hijacking:

1. Timing Signatures

The most reliable indicator is the timing pattern of DNS anomalies:

Timing Pattern:
- Anomalies occur in predictable windows corresponding to satellite passes
- Windows typically last 9-15 minutes depending on orbital parameters
- Recurrence follows orbital period of approximately 90-94 minutes
- Multiple satellites create overlapping coverage in high-priority areas

By correlating DNS anomalies with satellite pass predictions, it’s possible to identify when the hijacking is likely to occur.

2. Certificate Anomalies

The man-in-the-middle operations create subtle anomalies in TLS certificates:

Certificate Characteristics:
- Valid-appearing certificates from legitimate-appearing authorities
- Microscopic timing discrepancies in validity periods
- Distinctive patterns in certificate serial number generation
- Subtle anomalies in extension fields

These characteristics can potentially be identified through specialized certificate validation tools, though they typically pass standard browser validation.

3. DNS Response Patterns

The manipulated DNS responses contain subtle indicators:

Response Anomalies:
- Inconsistent TTL (Time To Live) values for the same domain
- Presence of unexpected CNAME records with distinctive patterns
- Anomalous routing that contradicts known BGP paths
- Distinctive timing patterns in response receipt

These patterns can potentially be identified through specialized DNS monitoring tools focused on consistency analysis.

4. YARA Rule for Detecting Related Infrastructure

Based on analysis of the infrastructure used in this operation, I’ve developed a YARA rule to identify related components:

rule Satellite_DNS_Hijacking_Infrastructure {
    meta:
        description = "Detects infrastructure potentially related to satellite DNS hijacking"
        author = "Security Researcher"
        date = "2023-04-01"
        
    strings:
        $dns_manip_code = { 83 EC 24 8B 44 24 28 8B 4C 24 2C 53 56 57 8B 7C 24 }
        $cert_gen_pattern = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B F1 }
        $tracking_domain = ".jt-cdn.net" nocase wide ascii
        $tracking_domain2 = ".junction-track." nocase wide ascii
        $sat_config1 = "orbit_params_v2"
        $sat_config2 = "intercept_window_calculator"
        $sat_config3 = "elevation_trigger_threshold"
        $just_trust = "just.trust.station" wide ascii
        
    condition:
        ($dns_manip_code and $cert_gen_pattern) or
        (any of ($tracking_domain*) and any of ($sat_config*)) or
        $just_trust
}

This rule can potentially identify code and infrastructure related to the satellite DNS hijacking operation, though the highly compartmentalized nature of the system makes comprehensive detection challenging.

The Orbit Above: Global Implications

The existence of this capability has profound implications for global communications security:

1. Compromised Trust Model: The operation undermines fundamental trust assumptions in internet communications, particularly for users in remote areas
2. Undetectable Surveillance: The system creates nearly undetectable surveillance capabilities targeting precisely the areas with the least connectivity alternatives
3. Strategic Intelligence Advantage: The operation provides unprecedented access to communications in remote areas of strategic interest
4. Space Militarization: The deployment represents a significant escalation in the militarization of space for intelligence purposes

The targeting pattern suggests a strategic focus on specific regions and facility types rather than mass surveillance, indicating a sophisticated intelligence operation with specific collection priorities.

Most concerning is the precedent this operation sets for the exploitation of space for signals intelligence purposes. If this capability has been deployed by one actor, others are likely developing similar systems, potentially leading to an invisible arms race in orbital interception capabilities.

Conclusion: Looking Up with New Suspicion

The satellite DNS hijacking operation represents a sophisticated leap in signals intelligence capabilities, specifically targeting the most vulnerable internet users in the most remote areas. By exploiting the necessary reliance on satellite connectivity in these regions, the operators have created a nearly undetectable surveillance and manipulation capability.

What makes this operation particularly concerning is its selective nature. By focusing only on high-value targets and operating only during specific time windows, the system maintains a low profile that has allowed it to operate without public detection for approximately 30-36 months.

I’m publishing this research despite significant personal risk because users in affected areas deserve to know that their communications may be compromised. The security community must begin developing detection and mitigation capabilities for this new threat vector, particularly for users in remote areas with limited connectivity alternatives.

The next time your internet connection experiences a brief, unexplained anomaly, consider looking up. The cause may be passing directly overhead, invisible to the naked eye but watching everything you do.

Technical Indicators

Orbital Indicators

• Unregistered satellites in LEO orbits between 340-380km altitude
• Inclinations between 42° and 57°
• Distinctive radio emissions in Ka and Ku bands
• 42-second beacon interval pattern

DNS Manipulation Indicators

• Intermittent DNS resolution anomalies correlating with satellite passes
• Presence of unexpected CNAME records to domains in the .jt-cdn.net namespace
• Certificate anomalies including distinctive serial number patterns
• Routing inconsistencies that contradict known BGP paths

YARA Rule for Related Infrastructure

rule Satellite_DNS_Hijacking_Infrastructure {
    meta:
        description = "Detects infrastructure potentially related to satellite DNS hijacking"
        author = "Security Researcher"
        date = "2023-04-01"
        
    strings:
        $dns_manip_code = { 83 EC 24 8B 44 24 28 8B 4C 24 2C 53 56 57 8B 7C 24 }
        $cert_gen_pattern = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B F1 }
        $tracking_domain = ".jt-cdn.net" nocase wide ascii
        $tracking_domain2 = ".junction-track." nocase wide ascii
        $sat_config1 = "orbit_params_v2"
        $sat_config2 = "intercept_window_calculator"
        $sat_config3 = "elevation_trigger_threshold"
        $just_trust = "just.trust.station" wide ascii
        
    condition:
        ($dns_manip_code and $cert_gen_pattern) or
        (any of ($tracking_domain*) and any of ($sat_config*)) or
        $just_trust
}

I’m publishing this research from a location utilizing terrestrial internet connectivity verified to be free of satellite relays or interception. The information has been distributed through multiple trusted channels to ensure it reaches the public regardless of potential interference. Look up, but remember that what you can’t see might be watching.

Not all that orbits is registered. Not all that connects is secure.

865421973048562193047581