Viasat has provided an overview of the cyberattack that crippled its European satellite services, especially in Ukraine.
On the same day that Russia invaded Ukraine, Viasat began suffering issues with its KA-SAT network. The company later acknowledged that it was engaging with cybersecurity firms to investigate the issue in the midst of a suspected cyberattack.
“On 24 February 2022, a multifaceted and deliberate cyberattack against Viasat’s KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service,” the company said in a breakdown of the incident. “While most users were unaffected by the incident, the cyber-attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.”
Viasat said the attack was focused on a consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, following a 2021 acquisition arrangement.
On the day in question large high volumes of “focused, malicious traffic” were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) located within Ukraine, making it difficult for many modems to remain online. Other modems emerged on the network to continue the targeted DDoS attack throughout the next several hours, degrading the ability of other modems to enter or otherwise remain active on the network.
Viasat and Skylogic then began to observe a decline in the number of modems online in the same commercial-oriented partition. Tens of thousands of modems dropped off the network and never tried to re-connect. Viasat said the attack impacted a majority of previously active modems within Ukraine, and a “substantial number” of modems in other parts of Europe.
“We believe the purpose of the attack was to interrupt service. There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.”
The residential broadband modems affected use the “Tooway” service brand. Viasat said network stabilization and security mitigation actions began immediately, and the network was fully stabilized within several days. As a precaution, the company also undertook “proactive operational measures” to ensure back-office applications and reporting/analytics services were not impacted.
After investigation, Viasat said attackers gained access to the network by exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.
“The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
The company noted that the attack did not impact its directly managed mobility or government users on the KA-SAT satellite, or users on other Viasat networks worldwide.
Viasat said it working with Mandiant, Eutelsat/Skylogic, law enforcement, and US and international government agencies to investigate the cyber-attack. That investigation is still ongoing.
The satellite company added it is working closely with the wholesale distributors to bring their customers back online.
“Certain end-customer modems promptly received over-the-air updates, but where such updates are insufficient to timely restore functionality, new modems are being provided as the most efficient way to restore service,” it said, adding that it has shipped close to 30,000 replacement modems to distributors and is ready to ship additional modems as needed.
Eutelsat launched commercial broadband services from the KA-SAT satellite in 2011. Viasat acquired the network in April 2021; Eutelsat subsidiary Skylogic continues to operate and support the ground segment operations of the KA-SAT network on Viasat’s behalf, an arrangement that was originally expected to end sometime later this year.
PaxEx.Aero reported at the onset of the outage that at least three ISPs had reported issues connecting to Viasat satellites – including Intv.cz and EUSANET – but suggested as many as six were affected. CSP Bigblu confirmed its network was suffering disruption as a result of the Viasat outage, as did Orange-owned Nordnet.
A German wind turbine manufacturer said remote operation of more than 5,000 turbines had been impacted by the disruption. Enercon warned earlier this month that 85 percent of its modems were still offline and that a full recovery was likely to take "some further weeks."