A malicious software update that crippled tens of thousands of modems across Europe rooted the cyber attack on a satellite network used by the Ukrainian government and military as Russia invaded, the owner of the device revealed on Wednesday. satellite.
The owner, US-based Viasat, has for the first time provided details of the unfolding of the most severe known cyber attack in the Russian-Ukrainian war. The wide-ranging attack affected users from Poland to France, gaining almost immediate notice by removing remote access to thousands of wind turbines in central Europe.
Viasat did not say in its statement who it believes was responsible for the attack. Ukrainian officials blame Russian hackers.
The Viasat attack, which came just as Russia was launching its invasion, was seen by many at the time as a harbinger of serious cyberattacks that could extend beyond Ukraine. Such attacks have yet to materialize, although security researchers say the most impactful war-related cyber operations are likely to occur in the shadows, focused on intelligence gathering.
A series of smaller attacks, many of which appear to be carried out by volunteers, have been launched against Russia and Ukraine. A persistent drumbeat of malicious hacking that Ukrainian officials and cybersecurity researchers blame on Russian-affiliated attackers has plagued Ukraine throughout the more than month-long conflict. One of the most serious hacks took the Internet and cellular service of a major army-serving telecommunications company, Ukrtelecom, largely offline for most of Monday.
On Wednesday, Google said it identified a state-backed Russian hacking group engaged in a credential phishing campaign targeting the military of several Eastern European countries and an Eastern European think tank. NATO. He said he didn’t know if any of the targets had been successfully compromised.
The attack on the KA-SAT satellite network highlighted the vulnerability of commercial satellite networks that serve both military and non-military customers, with the impact felt by individuals and businesses far from the battlefield.
It started in the early hours of February 24 with a distributed denial of service attack that took a large number of modems offline. A destructive attack followed in which a malicious software command sent over the network rendered tens of thousands of modems across Europe inoperable by overwriting their internal memory, Viasat said. “We believe the purpose of the attack was to disrupt service,” he said.
It said it has shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband internet access.
The attack caused a major loss of communications in Ukraine in the early hours of the Russian invasion, senior Ukrainian cybersecurity official Victor Zhora told reporters earlier this month. Asked by The Associated Press last week who was responsible, Zhora said: “We don’t need to attribute it since we have clear evidence that it was organized by Russian hackers to disrupt the connection between customers who use this satellite system.
He said he had no information on whether the service had been restored and could not say which Ukrainian agencies beyond the military were involved. The contracts show, however, that Zhora’s own agency, the State Service for Special Communications, is among the clients that also include police departments and municipalities. Viasat said “several thousand customers” located in Ukraine were impacted.
Viasat, based in Carlsbad, Calif., said the initial denial of service attack originated from modems inside Ukraine. He did not specify how the destructive malware entered the network, except to say that a “misconfiguration” in a virtual private network device was compromised, allowing attackers to remotely access from the Internet a “trusted” management console used to administer the satellite. network.
From there, the attackers were able to simultaneously send the destructive command to modems across Europe, rendering them useless but not permanently unusable, Viasat said.
It was unclear how the attackers hacked into the VPN appliance. According to Ruben Santamarta, a satellite cybersecurity researcher, it was important to know if they had obtained credentials or if they had exploited a known vulnerability. Viasat declined to provide details on Wednesday, citing an ongoing investigation.
The ground network is managed by Skylogic, an Italian subsidiary of Eutelsat, from which Viasat purchased the KA-SAT satellite in April last year.
Viasat’s investigation into the attack was led by US cybersecurity firm Mandiant.