Viasat KA-SAT attack (2022)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 24 February 2022,[1] between 5 am and 9 am EEST.[2]
Suspected actor Ukraine’s deputy head of State Service of Special Communications and Information Protection, Victor Zhora, has affirmed that they have evidence that the attack “was organized by Russian hackers”.[3] U.S. intelligence analysts have similarly referred that Russia’s military intelligence agency (the GRU)[4] could have been behind the attack,[5] and investigated the incident as a potential Russian state sponsored attack.[6]

According to the cyber-security firm SentinelOne, the rare wiper malware allegedly used for the attack showed developmental similarities to the “VPNFilter” attributed first by the FBI in 2018[7] to the APT28 group (or “Fancy Bear”) and later by the NSA to Sandworm group,[8] both allegedly Russian GRU-backed hacking groups.[9]

On May 10, 2022, the UK’s National Cyber Security Centre,[10] the US State Department,[11] and the Council of the EU[12] officially attributed the attack to Russia. Russia has repeatedly denied that it carries out offensive cyber operations.[13]

Victims Users of modems on Viasat’s KA-SAT satellite network.[14] The attack affected a specific consumer-oriented partition of modems,[15] in particular on Ukrainian territory[16] but also a substantial number of customers along Europe.[17]
Target systems KA-SAT satellite ground-based network infrastructure.[18] In particular, the network’s management system and the modems’ filesystem.[19]
Method On 30 March 2022, Viasat issued a statement on the attack and affirmed that it was a two phase incident: (i) a targeted denial of service attack coming from modems and associated customer premise equipment[20] located in Ukraine which rendered several modems offline;[21] and (ii) the gradual decline of connected modems in the system.[22] Viasat stated that the attackers exploited a “a misconfiguration in a VPN appliance” to gain remote access to a management segment of the ground-based network[23] and then moved laterally to a segment used to operate the network and executed “legitimate, targeted management commands on a large number of residential modems simultaneously”,[24] overwriting key data in the flash memory of the modems and thus preventing them from accessing the network.[25]

On 31 March, the cybersecurity firm SentinelOne presented an alternative analysis affirming that the attackers most probably conducted a supply-chain attack and used the “AcidRain” generic wiper malware designed to overwrite the key data in the modems and router’s flash memory.[26] The binary was apparently able to perform an “in-depth wipe of the filesystem and various known storage device files, before attempting to destroy the data”[27] and then reboot the devises rendering them inoperable. On the same day, Visat affirmed through a public statement the use of the wiper and stated that this analysis was consistent with the facts presented in the report.[28]

Purpose The attack ostensibly aimed at interrupting the service,[29] by rendering the modems of an entire parcel of costumers inoperable,[30] but not compromising the KA-SAT satellite itself, or the supporting ground infrastructure, and being no evidence of access to the users’ data or personal equipment.[31]

Public officials have pointed to the alleged purpose of disrupting satellite communications in Ukraine[32] amid the intensification of the conflict in Ukraine on 24 February 2022.[33] In this regard, experts have claimed Viasat’s network also provided communications services to the Ukrainian military and security forces,[34] and that the attack could have intended to hit “aspects of military command and control in Ukraine”.[35] This assessment was reiterated in the statements of the US[36] and the UK,[37] while the Council of the EU referred to the “facilitation of the military action”.[38]

Result The attack rendered inoperable thousands of Viasat KA-SAT satellite broadband modems in Ukraine,[39] including those used by military and other governmental agencies,[40] causing major loss in internet communication.[41] It has also impacted tens of thousands of customers across Europe,[42] including satellite internet users from Poland, Germany, the UK, France, and the Czech Republic.[43] The alleged spillover of the attack, included the outage of the remote monitor and control of 5,800 wind turbines in Germany operated by Enercon,[44] that were kept offline for several weeks.[45]

The modems were no longer able to access the network and therefore, even if not permanently unusable, could only be restored by a factory reset.[46] Although Viasat did not provide precise information on the number of affected devices, it has stated that “nearly 30,000 fresh modems had already been shipped to distributors to bring customers back online”.[47] The EU Agency for Cybersecurity reported at least 27,000 devices were impacted.[48]

However, the attack did not compromise users on other Viasat networks worldwide, including airlines[49] or other government users of the KA-SAT satellite network.[50] It did not damage the satellite itself nor the network infrastructure.[51] There was also no reported impact on the physical or electrical components of the modems,[52] and there is no evidence of impact on users’ data or access to the customers’ personal equipment.[53]

Aftermath Although mitigation and recovery actions to stabilize the network and restore service began immediately,[54] as of May 2022, thousands of customers still remained offline.[55] The company’s spokesperson affirmed that priority in the recovery was given to “critical infrastructure and humanitarian assistance”.[56]

Viasat affirmed that while in certain cases modems promptly received “over-the-air” software updates, around 30,000 new modems were shipped to effectively restore the functionality of the service, and stated to have continued the provision upon the distributors’ request.[57] In addition, it stressed to be working on the enhancement of the network’s security.

On 30 March 2022, Reuters reported that Viasat was still witnessing some repeated attempts to interfere with the satellite services, but that these were being thwarted by defensive measures.[58]

As of May 2022, the attack was being investigated by cyber-security firms hired by Viasat,[59] and multiple intelligence and security agencies, including the US National Security Agency, the French cyber-security agency and the Ukrainian intelligence.[60]

Analysed in Although no scenario addresses this exact set of circumstances, relevant scenarios include:

Scenario 03: Cyber operation against the power grid

Scenario 10: Legal review of cyber weapons

Scenario 13: Cyber operations as a trigger of the law of armed conflict

Scenario 22: Cyber methods of warfare

Scenario 24: Internet blockage

Collected by: Dominique Steinbrecher

  1. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  2. Raphael Satter, Satellite outage caused 'huge loss in communications' at war's outset -Ukrainian official, Reuters (15 March 2022)
  3. Ellen Nakashima, Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say, The Washington Post (28 March 2022); Frank Bajak, Satellite modems nexus of worst cyberattack of Ukraine war, ABC News (31 March 2022)
  4. Gordon Corera, Russia hacked Ukrainian satellite communications, officials believe, BBC (25 March 2022)
  5. Ellen Nakashima, Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say, The Washington Post (28 March 2022); Alexander Martin, Russian government hackers linked to cyber attack on first day of Ukraine invasion, Sky News (1 April 2022)
  6. Sean Lyngaas, US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers, CNN (30 March 2022)
  7. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022)
  8. Carly Page, Viasat cyberattack blamed on Russian wiper malware, Tech Crunch (31 March 2022)
  9. Carly Page, Ukraine disrupts attempt by Russian hackers to take down energy provider, Tech Crunch (12 April 2022); Emma Vail, A deeper look at hacking groups and malware targeting Ukraine, The Record (27 April 2022); Computer Emergency Response Team of Ukraine (CERT-UA), Five hacker groups that attack Ukraine the most, (22 April 2022)
  10. UK Government, Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (10 May 2022); UK National Cyber Security Centre, Russia behind cyber attack with Europe-wide impact an hour before Ukraine invasion (10 May 2022)
  11. Antony J. Blinken, Attribution of Russia’s Malicious Cyber Activity Against Ukraine, US Department of State (10 May 2022)
  12. Council of the EU, Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (10 May 2022)
  13. See e.g. James Pearson, Russia downed satellite internet in Ukraine -Western officials, Reuters (11 May 2022); Catherine Stupp, U.S., U.K., EU Blame Russia for Cyberattack on Satellite Provider Viasat, The Wall Street Journal (10 May 2022)
  14. Sean Lyngaas, US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers, CNN (30 March 2022)
  15. Dan Swinhoe, Viasat: Our network was hit by a “multifaceted and deliberate” cyberattack, DCD (31 March 2022); Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  16. Sean Lyngaas, US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers, CNN (30 March 2022)
  17. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Sean Lyngaas, Ukraine detains 'hacker' accused of aiding Russian troops amid broader struggle to secure communications, CNN (15 March 2022); Dan Swinhoe, Viasat: Our network was hit by a “multifaceted and deliberate” cyberattack, DCD (31 March 2022)
  18. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  19. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022)
  20. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  21. Frank Bajak, Satellite modems nexus of worst cyberattack of Ukraine war, ABC News (31 March 2022)
  22. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022)
  23. It is not clear if the hackers obtained the credentials or exploited a vulnerability to breach the VPN. See: Ruben Santamarta, VIASAT incident: from speculation to technical details, Reversemode (31 March 2022)
  24. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  25. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Christopher Bing and Raphael Satter, Hackers who crippled Viasat modems in Ukraine are still active- company official, Reuters (30 March 2022)
  26. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022). The Strain of wiper malware was allegedly discovered by SentinelLabs on 15 March 2022. See: Carly Page, Viasat cyberattack blamed on Russian wiper malware, Tech Crunch (31 March 2022)
  27. Carly Page, Viasat cyberattack blamed on Russian wiper malware, Tech Crunch (31 March 2022)
  28. Viasat, Public Statement done vía Twitter (31 March 2022); Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022); Jonathan Greig, Viasat confirms report of wiper malware used in Ukraine cyberattack, The Record (1 April 2022)
  29. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  30. David Jones, Viasat network cyberattack linked to newly discovered Russian wiper, Cybersecurity Dive (1 April 2022)
  31. Dan Swinhoe, Viasat: Our network was hit by a “multifaceted and deliberate” cyberattack, DCD (31 March 2022)
  32. Sean Lyngaas, US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers, CNN (30 March 2022)
  33. Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  34. Ellen Nakashima, Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say, The Washington Post (28 March 2022); James Pearson, Raphael Satter, Christopher Bing and Joel Schectman, Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say, Reuters (12 March 2022)
  35. David Jones, Viasat network cyberattack linked to newly discovered Russian wiper, Cybersecurity Dive (1 April 2022); See also: Gordon Corera, Russia hacked Ukrainian satellite communications, officials believe, BBC (25 March 2022)
  36. Antony J. Blinken, Attribution of Russia’s Malicious Cyber Activity Against Ukraine, US Department of State (10 May 2022)
  37. UK Government, Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (10 May 2022)
  38. Council of the EU, Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (10 May 2022)
  39. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022)
  40. Ellen Nakashima, Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say, The Washington Post (28 March 2022)
  41. Frank Bajak, Satellite modems nexus of worst cyberattack of Ukraine war, ABC News (31 March 2022)
  42. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  43. Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  44. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022); Reuters, Satellite outage knocks out thousands of Enercon's wind turbines (28 February 2022)
  45. Raphael Satter, Satellite outage caused 'huge loss in communications' at war's outset -Ukrainian official, Reuters (15 March 2022); Dan Swinhoe, Viasat: Our network was hit by a “multifaceted and deliberate” cyberattack, DCD (31 March 2022)
  46. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  47. Christopher Bing and Raphael Satter, Hackers who crippled Viasat modems in Ukraine are still active- company official, Reuters (30 March 2022)
  48. Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  49. Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  50. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  51. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Gordon Corera, Russia hacked Ukrainian satellite communications, officials believe, BBC (25 March 2022)
  52. Viasat, KA-SAT Network cyber attack overview (30 March 2022); Jonathan Greig, Viasat confirms report of wiper malware used in Ukraine cyberattack, The Record (1 April 2022)
  53. Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  54. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  55. James Pearson, Raphael Satter, Christopher Bing and Joel Schectman, Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say, Reuters (12 March 2022); Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022)
  56. James Pearson, Raphael Satter, Christopher Bing and Joel Schectman, Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say, Reuters (12 March 2022)
  57. Viasat, KA-SAT Network cyber attack overview (30 March 2022)
  58. Christopher Bing and Raphael Satter, Hackers who crippled Viasat modems in Ukraine are still active- company official, Reuters (30 March 2022)
  59. Carly Page, Viasat cyberattack blamed on Russian wiper malware, Tech Crunch (31 March 2022); Sean Lyngaas, US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers, CNN (30 March 2022)
  60. James Pearson, Raphael Satter, Christopher Bing and Joel Schectman, Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say, Reuters (12 March 2022); Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired (23 March 2022); Dan Swinhoe, Viasat: Our network was hit by a “multifaceted and deliberate” cyberattack, DCD (31 March 2022)