A malicious software command that immediately crippled thousands of modems across Europe was anchored by a Russian attack as well as a cyber attack on a satellite network used by the Ukrainian government and military, the satellite’s owner said Wednesday.
Malik, the US-based Viasat, has for the first time issued a statement detailing how the most serious cyber attack of the Russia-Ukraine war was uncovered. Widespread attacks have affected users from Poland to France, with thousands of wind turbines in Central Europe shutting down remote access.
Asked separately by the Associated Press, Vyasat could not say who he believed was responsible for the attack. Ukrainian officials have blamed Russian hackers.
The Vyasat attack, just when Russia was launching its aggression, was seen as a haven for many serious cyber attacks that could overtake Ukraine. Such attacks have not yet been implemented, although security researchers say the most influential war-related cyber operations are probably taking place in the shadows, with a focus on intelligence gathering.
A free-for-all attack against both Russia and Ukraine, many apparently led by volunteers. Ukrainian officials and cybersecurity researchers have blamed Ukraine for a series of malicious hacking attacks that have plagued Ukraine for more than a month. One of the most serious hacks was the large-scale offline operation of the Internet and cellular services of a major telecommunications company, the military, Ukrtelecom, which provides most of Monday’s services.
On Wednesday, Google said it had identified a state-backed Russian hacking group that was engaged in a certificate-phishing campaign targeting the armies of several Eastern European countries and a NATO think tank. It said it was not known if any targets had been successfully compromised.
The attack on the KA-SAT satellite network highlights how vulnerable commercial satellite networks serving clients, both military and non-military, can be with the perceived impact by individuals and businesses away from the battlefield.
It began with a distributed denial-of-service attack on early February 24 that knocked out a large number of modems offline. A malicious software command sent across the network after a devastating attack has rendered thousands of modems across Europe ineffective by overwriting the core data of their internal memory, Viasat said. “We believe the attack was aimed at disrupting services,” it said.
It said it had sent 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband Internet access.
Ukraine’s top cyber security official, Victor Zhora, told reporters earlier this month that the attack had caused major damage to communications in Ukraine. Asked by the AP last week who was responsible, Zora said, “We don’t need to blame it because we have clear evidence that it was organized by Russian hackers to disrupt communications between customers using this satellite system.”
He said he had no information on whether the service had been restored and could not say which Ukrainian agencies outside the army were affected. However, the agreements show that Zora’s own agency, the State Service for Special Communications, includes customers, including police agencies and municipalities. Viasat said “several thousand customers” based in Ukraine were affected.
Vyasat, based in Carlsbad, California, said the initial denial of the service attack stemmed from modems inside Ukraine. It did not specify how the destructive malware entered a virtual private network appliance other than a “misconfiguration” network, allowing attackers to gain remote access from the Internet to a “trusted” management console used to operate the satellite. Internet.
From there, the attackers were able to simultaneously send disabling commands to modems across Europe, rendering them useless but not permanently unusable, Viasat said.
It was not immediately clear how the attackers violated the VPN appliance. Satellite cybersecurity researcher Ruben Santmarta said it was important to know if they had received the certificate or if they had exploited known vulnerabilities. Viasat declined to comment on Wednesday, citing an ongoing investigation.
Gregory Falco, a professor at Johns Hopkins University who specializes in satellite system security, said the impact of the affected system was small compared to what attackers were able to do.
Falco said they probably held one foot. “The attackers don’t want to show their full hand or any of their positions for how they plan to survive in the network,” he said.
The hacked ground-based network is operated by Skylogic, an Italy-based affiliate of Eutelsat, from which Viasat purchased the KA-SAT satellite in April last year.
The US cybersecurity firm Mandiant is investigating the attack on Viasat.