The U.S. telecommunications company targeted as the Russian military attacked Ukraine on Feb. 24 said Wednesday that a misconfigured virtual private network allowed hackers to gain the access needed to knock key modems offline — an attempt to cripple the Ukrainian government’s communications as part of a “multifaceted and deliberate cyber-attack.”
Viasat, based in southern California, said in a statement posted to its website that the misconfigured VPN, operated by a subsidiary of a partner company, allowed the hackers to execute “legitimate, targeted management commands on a large number of residential modems simultaneously.” The statement added that these “destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
The disruption of services was relatively limited, the company said, and did not affect government users of its KA-SAT satellite service or other Viasat networks worldwide. The company did not say how many customers were affected, but said it has shipped “tens of thousands of replacement modems” to distributors to help customers get back online.
The company’s statement shows that “several initial assumptions about the attack were wrong,” according to Thomas Rid, the founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. Rid tweeted Wednesday that the attack was “significantly less sophisticated than expected, and required less preparation than assumed (no supply chain compromise, no modified firmware, no irreparable damage).”
The hack is perhaps the most serious cyberattacks to emerge in the wake of Russia’s attack on Ukraine. Thousands of internet and communications customers in Ukraine and beyond were knocked offline, and the attack caused a “huge loss in communications in the very beginning of the war,” Victor Zhora, a top Ukrainian government cybersecurity official, told reporters March 15.
Government and private networks there have suffered roughly a half-dozen wiper attacks since the invasion began, as well as a series of ongoing distributed denial-of-service attacks, which flood targeted networks or websites with phony traffic to make them inaccessible to legitimate users. Viasat was hit with a denial-of-service attack simultaneous to the destructive commands that affected the modems, the company said in its statement.
U.S. intelligence believes Russian hackers were behind the attack on Viasat, The Washington Post reported March 24, backing up the informal assessment of Ukrainian government cyber officials. “I don’t need any additional proofs that Russia was targeting Viasat, as well as other companies,” Zhora told reporters March 15. “We understand they’re focusing on satellite communications, they are focusing on ISPs, they are focusing on mobile operators” in attempts to cut off Ukrainian communications.
The company did not identify the attackers, but told Reuters Wednesday that the attackers are behind “repeated attempts” to bypass defenses and mitigations put in place by the company in the wake of the initial attack.
Russian-aligned hackers have relentlessly targeted Ukraine with attacks and disruptions in the weeks leading up to the Feb. 24 invasion and since, according to independent researchers and Ukrainian officials. An attack involving destructive malware poorly disguised as ransomware hit multiple organizations in Ukraine on Jan. 13, the beginning of a string of wiper attacks.
That attack, known in the information security community as WhisperGate, was perhaps the work of a previously unknown Russian military intelligence hacking group, according to Adam Meyers, the senior vice president of intelligence at cybersecurity firm CrowdStrike.
In planned testimony before the House Committee on Homeland Security Wednesday Meyers said a group the company calls “Ember Bear” has been targeting government and military organizations in eastern Europe since early 2021 may have been behind the WhisperGate attack. The group shares tactics, techniques and procedures with other hacking units of the GRU, Russia’s military intelligence division, Meyers said. The Wednesday hearing has been postponed.