Za Zhizn!

Za Zhizn! (За Жизнь!, styled Zа Жизнь! referencing the military symbol) was a Russian hacking group that hijacked satellite feeds of several television channels around Europe in March and April 2024, broadcasting pro-Russian propaganda, usually patriotic music videos of artists supporting Russia's stance on the war, as well as limited related content in later hackings. All of its hacks were detected by the authorities.

FreeDOM and Dim attack

Its first hijack was on March 17, 2024, hijacking FreeDOM, a channel broadcasting in Ukrainian and Russian, and its sister channel Dim, broadcasting entertainment content in Ukrainian. This only affected the Hot Bird feed, as the feeds on Astra 4A, cable, IPTV and OTT networks remained intact. This happened a few days after a DDoS attack hijacked FreeDOM's website. Za Zhizn's programming was seen on FreeDOM, while Dim was showing a blank screen.^[1]

BabyTV hijacks

Za Zhizn first attacked BabyTV's satellite feed housed on an Eutelsat satellite, at least two times, on March 28, 2024. The regular programming was interrupted to air pro-Kremlin videos, to be restored later. Portuguese newspaper Correio da Manhã reported that Eutelsat was targeted by a cyber attack, enabling the hijack.^[2] The video reportedly featured Russian president Vladimir Putin, footage of a bridge and a map of Russia.^[3] A second incident happened on April 17. Dutch providers Ziggo and KPN temporarily removed the channel while the satellite situation was being resolved, while Eutelsat moved BabyTV to a new transponder.^[4][5]

Mass Ukrainian attack

On April 17, Za Zhizn targeted the Hot Bird feeds of FreeDOM and Espreso, while at the same time conducting a mass hijack on Astra 4A. The targeted transponder was 11766 H, which, at the time housed 39 channels.^[6] On 4A, the main targets were the 1+1 Media multiplexes as well as news channel 24. FreeDOM was reportedly off air for half an hour from approximately 3pm Ukrainian time on Hot Bird, after which, its signal was restored.^[7]

StarLightMedia attack

Its final reported hijack was on April 24, targeting another Ukrainian media conglomerate, StarLightMedia. Its eight channels, all of which in HD, were carrying Tchaikovsky's Swan Lake ballet from 10:30am to 10:56am Ukraine time.^[8][9]

Investigation

NPO 2's Nieuwsuur made an in-depth investigation on the sabotage, especially concerning what happened to BabyTV in March and April 2024. Data from Ukrainian authorities and the ITU revealed that the goal from the hackers was to withdraw the signals of Ukrainian channels on Hot Bird 13G, and that ITU data confirmed that the hackers were from Moscow, Kaliningrad, Crimea (under Russian occupation) and Pavlovka. These attacks exposed the vulnerability of the satellites.^[10]