Mark Colaluka, Viasat's vice president and chief information security officer, and Kristina Walter, director of the Defense Industrial Base (DIB) Cybersecurity Division at the NSA, shared new details about a major cyberattack that occurred in 2022 during Russia's invasion of Ukraine at the Black Hat conference.
A cyberattack in February 2022 knocked out Viasat KA-SAT modems in Ukraine and around 5,800 Enercon wind turbines in Germany, with numerous organizations across Europe experiencing outages. According to US and European Union officials, the main purpose of the attack was to disrupt communications between the Ukrainian government and the military.
The Viasat KA-SAT network serves more than 100,000 customers in Europe and the Middle East, offering both broadband and satellite communications. The attack, attributed to Russian hackers, specifically targeted Viasat's broadband segment. Colaluka stressed that 2 separate attacks disrupted the company's operations.
Colaluka noted that the attackers demonstrated a combination of sophistication, meaning a thorough understanding of Viasat's network infrastructure, that allowed them to perform very complex maneuvers with the tools and capabilities available in the network. He added that one of the key lessons was that the less sophisticated aspects of the attack, ie the attackers' use of existing tools, could potentially be mitigated with better network hygiene and additional security measures.
On February 23, 2022, hackers attacked a control center in Turin, Italy, targeting a VPN installation that provided network access to administrators and operators. After several failed attempts, the hackers gained access to the VPN and continued to infiltrate the management servers. This access allowed them to get an idea of the number of online modems. The hackers then gained access to another server responsible for updating modems software, which facilitated the delivery of the Wiper malware. As a result, between 40,000 and 45,000 modems were taken offline, thousands of which will never be restored.
The aftermath of the attack prompted Colaluca to work with Walter of the NSA due to an influx of requests from various government agencies in Europe and elsewhere. Complicating the response to the incident was the geographical distribution of the affected modems, mostly located in Europe, while Viasat is located in the US.
The second attack began immediately after cooperation with the NSA began, flooding Viasat's systems with requests and effectively using thousands of compromised modems to hinder incident response services.
Despite recovery efforts, Viasat continues to face further attacks in 2023. Colaluca emphasized that the company's anticipation of the hackers' return prompted them to rebuild their network infrastructure from scratch to strengthen security.
Gaining initial access to the VPN remains a mystery, as attackers are known not to have exploited zero-day vulnerabilities and default passwords. Colaluca briefly mentioned the possibility of an internal attack, but did not elaborate.
The NSA's Walter noted that much of the work involved working with other US agencies and protecting other satellite providers from potential future attacks. However, the NSA has gone to great lengths to attribute the attacks to Russian actors in order to help the armed forces of the US government and European countries impose sanctions.
In conclusion, the joint presentation by NSA and Viasat emphasized the critical importance of cybersecurity measures and international cooperation to protect against such attacks, which have consequences for the digital realm, affecting geopolitics and global security.
Author: Nessa, Cyber Journalist
You can support TheSIGN by becoming our SATELLITE. Click to learn more about sponsorship.