Viasat shares details on KA-SAT satellite service cyberattack

US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine.

Today's incident report comes after the KA-SAT satellite network — "used intensively by the Ukrainian military" — was affected by a cyberattack that triggered satellite service outages in Central and Eastern Europe. 

The outage also disconnected modems used to control roughly 5,800 wind turbines in Germany and affected customers from Germany, France, Italy, Hungary, Greece, and Poland.

Viasat confirmed today the incident affected thousands of Ukrainian customers and tens of thousands of other broadband customers across Europe.

However, it added that the attack had no impact on its directly managed government and mobility or users using the KA-SAT satellite or other Viasat networks worldwide.

"Ultimately, tens of thousands of modems that were previously online and active dropped off the network, and these modems were not observed attempting to re-enter the network," Viasat explained.

Breached via misconfigured VPN appliance

Viasat says the attackers took down the customers' residential modems by breaching the management network and issuing management commands to overwrite the devices' flash memory, rendering them unable to reconnect to the network but not bricking them altogether.

"Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network," Viasat added.

"The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously."

As a direct result of this attack, tens of thousands of online modems dropped off the KA-SAT network and could not rejoin the network.

This incident affected the vast majority of previously active modems in Ukraine and a significant number of modems in other parts of Europe.

Viasat has conducted an exhaustive analysis of impacted modems and confirmed no anomalies or impacts to any electrical components, no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. The modems can be fully restored via a factory reset. To date, Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack. — Viasat (emphasis ours)

Nearly 30,000 modems shipped for service restoration

Since the February 2022 attack, Viasat shipped almost 30,000 modems to bring customers back online and continues to provide more modems to expedite service restoration for impacted customers.

"We believe the purpose of the attack was to interrupt service," the satellite communications provider said.

"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised."

The US government is now investigating the Viasat hack as a potential Russian state-sponsored cyberattack. The NSA mentions an inter-agency and allied effort (including Ukrainian intelligence) to "assess the scope and severity of the incident."

CISA and the FBI also published a joint advisory warning US organizations of "possible threats" to satellite communication (SATCOM) networks in the US and worldwide.