The link between the satellite modems of the worst cyberattack of the war in Ukraine


A malicious software command that immediately crippled tens of thousands of modems across Europe anchored the cyber attack on a satellite network used by the Ukrainian government and military just as Russia was invading, the owner of the device revealed on Wednesday. satellite.

Owner, US-based Viasat, released a statement providing details for the first time how the worst known cyberattack of the Russian-Ukrainian war unfolded. The wide-ranging attack affected users from Poland to France, gaining early notification by removing remote access to thousands of wind turbines in central Europe.

Viasat would not say who it believes was responsible for the attack when questioned separately by The Associated Press. Ukrainian officials blame Russian hackers.

The Viasat attack, coming just as Russia was launching its invasion, was seen by many at the time as a harbinger of severe cyberattacks which could extend beyond Ukraine. Such attacks have yet to materialize, although security researchers say the most impactful war-related cyber operations are likely to occur in the shadows, focused on intelligence gathering.

A free-for-all from lesser attacks, many of them, apparently carried out by volunteers, were launched against both Russia and Ukraine. A persistent drumbeat of malicious hacking that Ukrainian officials and cybersecurity researchers blame on Russian-affiliated attackers has plagued Ukraine throughout the more than month-long conflict. One of the most serious hacks took the internet and cellular service of a major army-serving telecommunications company, Ukrtelecom, largely offline for most of Monday.

On Wednesday, Google said it identified a state-backed Russian hacking group engaged in a credential phishing campaign targeting the military of several Eastern European countries and an Eastern European think tank. NATO. He said he didn’t know if any of the targets had been successfully compromised.

The attack on the KA-SAT satellite network highlighted the vulnerability of commercial satellite networks that serve both military and non-military customers, with the impact felt by individuals and businesses far from the battlefield.

It started in the early hours of February 24 with a distributed denial of service attack that took a large number of modems offline. A destructive attack followed in which a malicious software command sent over the network rendered tens of thousands of modems across Europe inoperable by overwriting key data from their internal memory, Viasat said. “We believe the purpose of the attack was to disrupt service,” he said.

It said it has shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband internet access.

The attack caused a significant loss of communications in Ukraine in the early hours of the Russian invasion, senior Ukrainian cybersecurity official Victor Zhora told reporters earlier this month. Asked by the AP last week who was responsible, Zhora said: “We don’t need to attribute it since we have clear evidence that it was organized by Russian hackers to disrupt the connection between the customers who use this satellite system.”

He said he had no information on whether the service had been restored and could not say which Ukrainian agencies beyond the military were involved. The contracts show, however, that Zhora’s own agency, the State Service for Special Communications, is among the clients that also include police departments and municipalities. Viasat said “several thousand customers” located in Ukraine were impacted.

Viasat, based in Carlsbad, Calif., said the initial denial of service attack originated from modems inside Ukraine. He did not specify how the destructive malware entered the network, except to say that a “misconfiguration” in a virtual private network device was compromised, allowing attackers to remotely access from the Internet a “trusted” management console used to administer the satellite. network.

From there, the attackers were able to simultaneously send the disable command to modems across Europe, rendering them useless but not permanently unusable, Viasat said.

It was unclear how the attackers hacked into the VPN appliance. Ruben Santamarta, satellite cybersecurity researcher said it was important to know whether they obtained credentials or exploited a known vulnerability. Viasat declined to provide details on Wednesday, citing an ongoing investigation.

Gregory Falco, a Johns Hopkins University professor who specializes in satellite system security, said the impact on affected systems was minor compared to what the attackers were able to do.

Falco said it was likely they maintained their presence. “Attackers don’t want to show their whole hand or any of their positioning to know how they plan to persist in the network,” he said.

The hacked ground network is operated by Skylogic, an Italian subsidiary of Eutelsat, from which Viasat purchased the KA-SAT satellite in April last year.

Viasat’s investigation into the attack was led by US cybersecurity firm Mandiant.

Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.

Source link


Comments are closed.