The owner, US-based Viasat, issued a statement detailing for the first time how the most notorious known cyber-attack in the Russia-Ukraine war unfolded. The wide-ranging attack affected users from Poland to France, receiving immediate alert, removing remote access to thousands of wind turbines in central Europe. Viasat did not say who believed it was responsible for the attack when asked separately by the Associated Press. Ukrainian officials accuse Russian hackers. The Viasat attack, which came just as Russia launched its invasion, was seen at the time by many as a harbinger of serious cyber-attacks that could extend beyond Ukraine. Such attacks have not yet taken place, although security researchers say most war-related cyber-effects are likely to occur in the shadows, with a focus on intelligence gathering. A free-for-all minor attack, many apparently carried out by volunteers, has been launched against both Russia and Ukraine. A persistent tyrannical malicious hacking operation blamed on Russian-linked attackers by Ukrainian officials and cyber security investigators has plagued Ukraine for more than a month. One of the most serious hacks has largely knocked off the internet and mobile service of a large telecommunications company serving the military, Ukrtelecom, for most of Monday. On Wednesday, Google announced that it had spotted a state-backed Russian hacker group involved in a credential fishing campaign targeting the armies of many Eastern European countries and a NATO think tank. He said he did not know if any of the targets had been successfully breached. The attack on the KA-SAT satellite network highlighted how vulnerable commercial satellite networks serving military and non-military customers can be, with the impact felt by individuals and businesses off the battlefield. It started in the early morning hours of February 24 with a sporadic denial of service attack that dropped a large number of modems offline. A catastrophic attack followed in which a malicious software command sent across the network rendered tens of thousands of modems across Europe non-functional, replacing key data in their internal memory, Viasat said. “We believe the purpose of the attack was to disrupt service,” he said. He said he had sent 30,000 replacement modems to affected customers across Europe, most of whom use the service for home broadband Internet access. The bomber struck shortly after noon in front of a rally in central Ukraine, police said. Asked by the AP last week who was in charge, Zhora said: “We do not have to attribute it, as we have clear evidence that it was organized by Russian hackers to cut off communication between customers using this satellite system.” He said he had no information on whether the service had been restored and could not say which Ukrainian services beyond the military were affected. The contracts show, however, that Zhora’s own service, the State Special Communications Service, is among the clients, which also includes police services and municipalities. Viasat said “many thousands of customers” in Ukraine were affected. Viasat, based in Carlsbad, California, said the initial denial of service attack came from a modem inside Ukraine. He did not specify how the malicious malware entered the network except to say that a “malfunction” of a virtual network device was compromised, allowing intruders to gain remote access from the Internet to a “trusted” management console used for satellite network management. From there, the intruders were able to simultaneously send the deactivation command to modems across Europe, rendering them useless but not permanently useless, Viasat said. It was not known how the intruders breached the VPN device. Satellite cybersecurity researcher Ruben Santamarta said it was important to know if they had received credentials or exploited a known vulnerability. Viasat declined to give details on Wednesday, citing an ongoing investigation. Gregory Falco, a professor at Johns Hopkins University who specializes in satellite security, said the impact on the affected systems was small compared to what the attackers could have done. Falco said they may have maintained a base. “The attackers do not want to show their whole hand or any position on how they intend to stick to the network,” he said. The breached terrestrial network is run by Skylogic, a subsidiary of Eutelsat based in Italy, from which Viasat bought the KA-SAT satellite in April last year. Viasat’s investigation into the attack was carried out by the American cybersecurity company Mandiant.
