A cyberattack targeting a satellite network used by Ukraine’s government and military agencies shortly after Russia’s invasion also knocked offline tens of thousands of broadband internet users across Europe, the satellite owner disclosed Wednesday.
The owner, U.S.-based Viasat, provided new details of how the cyberattack, the biggest known such attack in the war so far, was conducted and its wide-ranging impact. The attack affected users from Poland to France and knocked off remote access to thousands of wind turbines in central Europe.
Viasat did not say in its statement who it believed was responsible for the attack. Ukrainian officials have blamed Russian hackers.
The Viasat attack, coming just as Russia was launching its invasion, was considered at the time by many a harbinger of a wave of serious cyberattacks extending beyond Ukraine. But, so far, those attacks haven’t materialized, though security researchers say the most impactful war-related cyber operations are likely occurring in the shadows. A free-for-all of lesser attacks, many apparently carried out by volunteers, have been carried out.
The attack though highlighted how satellite technology that serves both military and non-military clients can be targeted in a conflict, with the impact felt by individuals and businesses far from the battlefield.
The attack in the early hours of Feb. 24 on the KA-SAT satellite network began with a distributed denial-of-service onslaught knocking offline a large number of modems. It then moved to a destructive attack in which a malicious software update distributed across the network rendered tens of thousands of modems across Europe inoperable by overwriting their internal memory, Viasat said.
It said it has shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband internet access.
The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion, top Ukrainian cybersecurity official Victor Zhora told reporters earlier this month. Asked who was responsible, Zhora said “We don’t need to attribute it since we have obvious evidence that it was organized by Russian hackers to disrupt connection between customers that use this satellite system.”
He said he did not have information on whether the service had been restored and could not say which Ukrainian agencies beyond the military were affected. Contracts show, however, that Zhora’s own agency, the State Service for Special Communications, is among customers that also include police agencies and municipalities.
Viasat, based in Carlsbad, California, said the initial denial of service attack had emanated from modems inside Ukraine. It did not specify how the destructive malware entered the network other than to say “misconfiguration” in a virtual private network appliance was compromised, allowing the attackers to gain remote access.
Once inside the network, the attackers were able to distribute a software update affecting tens of thousands of modems across Europe.
It was not known how the attackers breached the VPN appliance. Satellite cybersecurity researcher Ruben Santamarta said it was important to know whether they had obtained credentials or exploited a known vulnerability. Viasat declined to provide specifics Wednesday, citing an ongoing investigation.
The ground-based network is run by Skylogic, an Italy-based subsidiary of Eutelsat, from which Viasat purchased the KA-SAT satellite in April of last year.
Viasat’s investigation of the attack was done by the U.S. cybersecurity firm Mandiant.