Viasat KA-SAT Satellite Cyberattack

Overview

A few hours before its invasion of Ukraine, on 24 February 2022, Russia launched a cyberattack against ViaSat, an American Satellite broadband company which supplies military and commercial markets, exploiting a weakness in the cyber infrastructure of an Italian partner company. The attack affected their KA-SAT satellite which then beamed a malware signal to modems across Ukraine and Europe. The objective of this cyberattack was likely to make it harder for people in Ukraine to communicate.

Incident

Attackers found a weak spot in a VPN that Viasat used to manage its network from the ground. They entered the network and sent out a harmful software, called “AcidRain”. This software ruined around 40,000-45,000 home internet modems across Ukraine and parts of Europe by wiping key data, making the devices useless.

Impact

Tens of thousands of modems were disabled and unable to reconnect to the satellite network. Military communications in Ukraine were severely impacted, hindering battlefield coordination and command in the early hours of the invasion. Thousands of internet users in Europe lost internet connectivity, with some users claiming that the outages lasted over two weeks. The operation of 5,800 wind turbines in Germany and central Europe was temporarily halted. At least 30,000 replacement modems were given by Viasat, incurring significant costs.

Attribution

On 10 May, the EU, UK, and USA formally condemned the cyber operation, attributing it to the Russian military intelligence arm, the GRU. This followed SentinelLabs attributing the malware to Russia, pointing to similarities to a Russian 2018 campaign. The 2022 attack was not an isolated event and blended conventional and unconventional methods of destabilisation, creating widespread uncertainty, massive economic disruption, and psychological pressure across civilian, military, and private sectors.

Lessons

Mitigation strategies included immediate incident response and collaboration: Viasat took prompt action and collaborated with cybersecurity contractors to mitigate disruption, identify the vulnerability, identify the attacker, and prevent future attacks. They also focused on long term resilience such as implementing vulnerability scanning, and timely updating of security protocols. Similarly, the cyber and space domains are recognised as being part of the battlefield. And finally, 80% of all military communications rely heavily on dual use satellites. Segregation needs to occur immediately to strengthen the security of satellites required for military communication.