Recently, a satellite network owner stated that its network was targeted by a group of hackers. Read on to know more…
The cyberattack on a satellite network used by Ukraine’s government and military just as Russia invaded was anchored by a malicious software command that quickly crippled tens of thousands of modems across Europe, according to the satellite owner. The satellite network owner, Viasat of the United States, released a statement detailing for the first time how the most significant known cyberattack of the Russia-Ukraine war unfolded. The wide-ranging cyberattack impacted users from Poland to France, causing thousands of wind turbines in Central Europe to lose remote connectivity.
According to AP, Viasat refused to specify who it suspected was responsible for the attack. Russian hackers are being blamed by Ukrainian officials.
Viasat Cyberattack
The Viasat attack, which occurred just as Russia was launching its invasion, was seen as a foreshadowing of severe cyberattacks that could spread beyond Ukraine at the time. Such attacks haven’t yet materialised, but cybersecurity researchers believe the most significant war-related cyber operations are likely taking place in the shadows, with a focus on intelligence gathering.
Both Russia and Ukraine have been subjected to a barrage of smaller cyberattacks, many of which appear to have been carried out by volunteers. Throughout the more than month-long conflict, Ukraine has been beset by a steady drumbeat of malicious hacking that Ukrainian officials and cybersecurity researchers blame on Russia-linked attackers. For the most of Monday, one of the most serious hacks knocked out the internet and cellular service of Ukrtelecom, a major telecommunications company that services the military.
Google said on Wednesday that it has identified a state-sponsored Russian hacking group that was engaged in credential-phishing campaign against the militaries of several Eastern European countries as well as a NATO think tank. It stated that it had no knowledge of whether any of the targets had been effectively compromised.
The attack on the KA-SAT satellite network demonstrated how vulnerable commercial satellite networks serving both military and non-military clients can be, with consequences seen by people and businesses far away from the war.
DDoS Attacks on Modems
It started early on February 24 with a Distributed Denial-of-Service (DDoS) attack that knocked out a huge number of modems offline. According to Viasat, a damaging attack ensued, in which a malicious software command sent across the network left tens of thousands of modems inoperable by overwriting key data in their internal memory. It said “We believe the purpose of the attack was to interrupt service.”
It said it had shipped out 30,000 replacement modems to affected customers across Europe, the majority of whom use the service for home broadband internet access.
According to top Ukrainian cybersecurity official Victor Zhora, the attack caused a severe communications outage in Ukraine in the early hours of Russia’s invasion.
Last week, in a statement to AP, Zhora said, “We don’t need to attribute it since we have obvious evidence that it was organized by Russian hackers to disrupt connection between customers that use this satellite system.”
He said he didn’t know if the service had been restored and couldn’t say other Ukrainian agencies were affected aside from the military. However, contracts show that Zhora’s own agency, the State Service for Special Communications, is one of the customers, along with police departments and municipalities. According to Viasat, “several thousand customers” in Ukraine were affected.
The initial denial of service attempt, according to Viasat, based in Carlsbad, California, emanated from modems inside Ukraine. It did not clarify how the destructive malware got into the network, only that it was due to a “misconfiguration” of a virtual private network appliance was compromised, which allowed the attackers to gain remote access to a “trusted” management console used to run the satellite network through the internet.
Viasat said that the attackers were able to send the disabling command to modems across Europe at the same time, rendering them useless but not permanently unusable.
It was unclear how the attackers gained access to the VPN appliance. Ruben Santamarta, a Satellite Cybersecurity Researcher, said it was crucial to know whether they had stolen credentials or exploited a known vulnerability. Viasat, citing an ongoing inquiry, declined to disclose specifics on Wednesday.
According to Gregory Falco, a Johns Hopkins University professor who specialises in satellite system security, the impact on compromised systems was small in comparison to the attackers’ capabilities.
Skylogic, an Italy-based subsidiary of Eutelsat, runs the hacked ground-based network. Viasat purchased the KA-SAT satellite from Eutelsat in April of last year.
Mandiant, a cybersecurity firm based in the United States, is investigating the cyberattack on Viasat.