AP

Satellite modems nexus of worst cyberattack of Ukraine war

Mar 30, 2022, 10:55 AM | Updated: Apr 4, 2022, 10:17 pm

A malicious software command that immediately crippled tens of thousands of modems across Europe anchored the cyberattack on a satellite network used by Ukraine’s government and military just as Russia invaded, the satellite owner disclosed Wednesday.

The owner, U.S.-based Viasat, issued a statement providing details for the first time of how the most serious known cyberattack of the Russia-Ukraine war unfolded. The wide-ranging attack affected users from Poland to France, getting quick notice by knocking off remote access to thousands of wind turbines in central Europe.

Viasat would not say who it believed was responsible for the attack when asked separately by The Associated Press. Ukrainian officials blame Russian hackers.

The Viasat attack, coming just as Russia was launching its invasion, was considered at the time by many a harbinger of serious cyberattacks that could extend beyond Ukraine. Such attacks haven’t yet materialized, though security researchers say the most impactful war-related cyber operations are likely occurring in the shadows, focused on intelligence-gathering.

A free-for-all of lesser attacks, many apparently carried out by volunteers, have been launched against both Russia and Ukraine. A persistent drumbeat of malicious hacking that Ukrainian officials and cybersecurity researchers blame on Russia-affiliated attackers has plagued Ukraine throughout the more than month-long conflict. One of the most serious hacks largely knocked offline the internet and cellular service of a major telecommunications company that serves the military, Ukrtelecom, for most of Monday.

On Wednesday, Google said it had identified a state-backed Russian hacking group engaged in a credential-phishing campaign targeting the militaries of multiple Eastern European countries and a NATO think tank. It said it did not know if any of the targets were successfully compromised.

The attack on the KA-SAT satellite network highlighted how vulnerable commercial satellite networks that serve both military and non-military clients can be, with the impact felt by individuals and businesses far from the battlefield.

It began in the early hours of Feb. 24 with a distributed denial-of-service onslaught that knocked a large number of modems offline. A destructive attack followed in which a malicious software command sent across the network rendered tens of thousands of modems across Europe inoperable by overwriting key data in their internal memory, Viasat said. “We believe the purpose of the attack was to interrupt service,” it said.

It said it has shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband internet access.

The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion, top Ukrainian cybersecurity official Victor Zhora told reporters earlier this month. Asked by the AP last week who was responsible, Zhora said, “We don’t need to attribute it since we have obvious evidence that it was organized by Russian hackers to disrupt connection between customers that use this satellite system.”

He said he did not have information on whether the service had been restored and could not say which Ukrainian agencies beyond the military were affected. Contracts show, however, that Zhora’s own agency, the State Service for Special Communications, is among customers that also include police agencies and municipalities. Viasat said “several thousand customers” located in Ukraine were impacted.

Viasat, based in Carlsbad, California, said the initial denial of service attack had emanated from modems inside Ukraine. It did not specify how the destructive malware entered the network other than to say a “misconfiguration” in a virtual private network appliance was compromised, allowing the attackers to gain remote access from the internet to a “trusted” management console used to administer the satellite network.

From there, the attackers were able to simultaneously send the disabling command to modems across Europe, rendering them useless but not permanently unusable, Viasat said.

It was not known how the attackers breached the VPN appliance. Satellite cybersecurity researcher Ruben Santamarta said it was important to know whether they had obtained credentials or exploited a known vulnerability. Viasat declined to provide specifics Wednesday, citing an ongoing investigation.

Gregory Falco, a Johns Hopkins University professor specializing in satellite system security, said the impact on affected systems was minor compared to what the attackers were capable of doing.

Falco said it’s likely they’ve maintained a foothold. “The attackers don’t want to show their whole hand or any of their positioning for how they plan to persist in the network,” he said.

The hacked ground-based network is run by Skylogic, an Italy-based subsidiary of Eutelsat, from which Viasat purchased the KA-SAT satellite in April of last year.

Viasat’s investigation of the attack was done by the U.S. cybersecurity firm Mandiant.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Former President Donald Trump sits in a courtroom next to his lawyer Todd Blanche before the start ...

Associated Press

Trump hush money trial enters new phase after defense rests without testimony from former president

Donald Trump's hush money trial is now closer to the moment when the jury will begin deciding the former president's fate.

20 hours ago

UoA student convicted of first-degree murder after killing professor...

Associated Press

Former Arizona grad student convicted of first-degree murder in 2022 shooting of professor

A former University of Arizona grad student was convicted of first-degree murder after fatally shooting a professor on campus two years ago.

22 hours ago

Rudy Giuliani bankruptcy filing defamation lawsuit...

Associated Press

Ex-NYC Mayor Rudy Giuliani, Arizona’s Kelli Ward plead not guilty in fake elector case

Giuliani appeared remotely for the arraignment that was held in a Phoenix courtroom. His trial will take place in October.

1 day ago

President Joe Biden gestures after speaking to graduating students at the Morehouse College commenc...

Associated Press

Biden tells Morehouse graduates that scenes in Gaza from the Israel-Hamas war break his heart, too

Joe Biden on Sunday offered his most direct recognition of U.S. students' anguish over the Israel-Hamas war.

3 days ago

Rudy Giuliani...

Associated Press

Rudy Giuliani is the final defendant served indictment in Arizona fake elector case

Rudy Giuliani has been served an indictment in Arizona's fake elector case for his role in an attempt to overturn the 2020 election.

4 days ago

Houston storms cause widespread damage on Friday...

Associated Press

Some in Houston facing no power for weeks after storms cause widespread damage, killing at least 4

Houston storms cause widespread damage on Friday, May 17. Thunderstorms hit the southeastern part of Texas, killing at least four people.

5 days ago

Sponsored Articles

...

Day & Night Air Conditioning, Heating and Plumbing

Beat the heat, ensure your AC unit is summer-ready

With temperatures starting to rise across the Valley, now is a great time to be sure your AC unit is ready to withstand the sweltering summer heat.

...

Condor Airlines

Condor Airlines can get you smoothly from Phoenix to Frankfurt on new A330-900neo airplane

Adventure Awaits! And there's no better way to experience the vacation of your dreams than traveling with Condor Airlines.

...

Fiesta Bowl Foundation

The 51st annual Vrbo Fiesta Bowl Parade is excitingly upon us

The 51st annual Vrbo Fiesta Bowl Parade presented by Lerner & Rowe is upon us! The attraction honors Arizona and the history of the game.

Satellite modems nexus of worst cyberattack of Ukraine war