Reports indicate that the Ukrainian drones involved in the strike on Russian strategic bombers were controlled using ArduPilot over 4G/LTE communications. This suggests the use of cellular networks as a medium for long-range UAV control, leveraging the MAVLink protocol — a lightweight, widely adopted telemetry standard that remains unencrypted by default.
From a technical and counterintelligence perspective, this raises immediate red flags for Russian internal security services, particularly the FSB. It would be reasonable to expect them to move swiftly to adapt the SORM (System for Operative Investigative Activities) surveillance infrastructure to detect, flag, and possibly block or inject into MAVLink traffic traversing domestic telecoms.
Why this matters:
MAVLink is plaintext: The protocol exposes commands, telemetry, and waypoints in easily parsable form. No need to crack encryption—just pattern-match known sequences.
Telemetry over LTE is hard to conceal: Unlike proprietary RF links or analog video feeds, LTE-based control is more integrated into traditional comms infrastructure, and its traffic can be filtered more systematically.
SORM is built to scale: Russia’s lawful interception architecture already supports deep packet inspection (DPI) and content-based filtering. MAVLink filtering would likely be a relatively minor addition, especially with known message formats and open-source documentation.
Drone C2 via 4G was a smart choice tactically: It allowed operators to stay far from the front line, avoid line-of-sight limitations, and potentially exploit local Russian telecoms — a vulnerability Moscow is now unlikely to ignore.
Expectations:
We will likely see:
- Signature-based filtering of MAVLink commands on LTE networks.
- Realtime alerts to FSB or Roskomnadzor upon detection of drone telemetry.
- Possibly active disruption (e.g. TCP reset packets, spoofed MAVLink messages).
- Pressure on telecom operators to deploy updated DPI modules.
Mitigation will escalate the cat-and-mouse game: Ukrainian teams may move toward VPN tunneling, encryption overlays (e.g. MAVSec, WireGuard), or frequency-hopping custom links again. But the convenience and bandwidth of LTE makes it an attractive vector — at least until it becomes actively monitored.
Strategic takeaway: Open protocols and public infrastructure can be double-edged swords. While they offer speed, accessibility, and control depth for offensive operations, they also expose digital fingerprints that capable SIGINT actors can quickly identify and exploit.