Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault

LAS VEGAS — The cyberattack that crippled satellite communications on the eve of the Ukraine war was more broad than initially understood and carried out by attackers with detailed knowledge of the compromised system, an executive with Viasat, whose modems were targeted in the attack, revealed during a talk Thursday at the Black Hat cybersecurity conference in Las Vegas.

When hackers attacked Viasat as Russian forces prepared to stream across Ukraine’s border, they relied on a piece of malware that wiped the contents of thousands of targeted modems. That component of the attack has been fairly well understood, but on Thursday, Mark Colaluca, vice president and chief information security officer at Viasat Corporate, revealed a second, previously unknown component of the attack and said that the company remains under assault.

That secondary line of attack used “highly technical knowledge of our network” and the networking protocols it relies on to “target specific terminals to not let them back on the network,” Colaluca said.

U.S. government and Ukrainian officials have blamed Russia for the attack on the Viasat KA-SAT network that shut down communications that Kyiv relied on for commanding troops and thousands of European used for internet access. And the secondary attack revealed on Thursday showed that once Russian hackers had disrupted internet access in the first place they used sophisticated methods to try and prevent it from being restored.

The attack on Viasat signaled that cyber operations would play a significant role in the war between Russia and Ukraine. After the U.S. blamed Moscow for hitting the Viasat network, the Cybersecurity and Infrastructure Security Agency and the FBI released an alert, and the National Security Agency released recommendations to protect satellite communications. Meanwhile, cyber experts pored over the wiper malware dubbed Acid Rain used in the attack and the event has become something of clarion call for improving the cybersecurity of space systems.

In his appearance on Thursday, Colaluca spoke alongside Kristina Walter, who leads the National Security Agency’s efforts to protect the cybersecurity of the U.S. defense industrial base. Walter said that in the run-up to the invasion of Ukraine, her agency anticipated that defense contractors might be targeted for cyberattack, but an assault on a satellite internet provider caught the NSA by surprise.

“This was not something we were expecting,” she said.

The KA-SAT satellite was launched in December 2010 and provides broadband internet and satellite television to Europe and parts of the Middle East. At the time of the attacks, the satellite communications network served between 110,000 to 120,000 modems with a mix of commercial, government clients and aviation customers, according to Colaluca.

Around 6:00 p.m. on Feb. 23, 2022, one day before the invasion, an attacker made multiple attempts to log into a VPN that Viasat administrators used to access servers in northern Italy that control the satellite internet network. The attacker at first failed to break into the network but hours later found a credential that worked.

With access to the computer system used to communicate with modems scattered throughout Europe and the Middle East, the attacker proceeded to send a piece of malware — dubbed Acid Rain — that left 40,000 to 45,000 modems inoperable. Ukrainian cybersecurity officials said the attack caused a “huge loss in communications” at the start of the invasion.

The second phase of the attack wasn’t discovered until later. Not only did Russian hackers deploy the wiper malware, they also flooded Viasat servers with requests that quickly overwhelmed their networks. Viasat servers received more than 100,000 requests in a five minute time span. That meant that anytime a modem would get kicked off the network it couldn’t reconnect because the server could not respond, Colaluca said.

The hackers targeted specific terminals, but the company has not been able to determine exactly which modems were targeted. “It appeared to be that the attackers had specific targets in mind,” Colaluca said.

The attacks on Viasat systems persisted beyond February of last year. The network requests that crippled its server continued for several weeks after the date of the invasion, and over the past year the company has observed “several incidents in the RF domain,” Colaluca said, referring to the radio frequencies used by the company’s satellite to communicate with its base stations.

Colaluca would not provide details on what that radio frequency attack entailed but said that improvements in its security posture appeared to thwart the attack.