In its statement returning to the “disturbance” of its systems on February 24, ViaSat does not take tweezers and this time clearly evokes a computer attack. “On February 24, 2022, a multifaceted and deliberate cyberattack against ViaSat’s KA-SAT network resulted in a partial disruption of KA-SAT’s satellite broadband service to consumers,” the company explains.
ViaSat specifies that this attack only targeted part of its network, in particular affecting users of the service based in Ukraine. The affected users were customers of the “Tooway” solution, offered by ViaSat and Eutelsat to access the Internet by satellite in Europe.
The investigation is still ongoing, but ViaSat believes the attackers’ end goal was to disrupt the service, as no data was stolen.
Ukrainian equipment mainly targeted
The company says it detected the first signs of the attack at 3 a.m. on February 24. These took the form of malicious traffic emanating from Surfbeam 2 and Surfbeam 2+ modems, as well as other equipment used by the company’s customers to connect to its satellite internet service.
“As ViaSat personnel worked on the situation and attempted to force the malicious modems offline, other modems appeared on the network to continue the targeted attack over the next few hours, degrading the ability of legitimate modems to enter or otherwise stay active on the network,” the company says. An hour later, the company’s engineers found that many modems were disconnecting from the network, reaching “tens of thousands” of disconnected modems.
The attack mainly targeted equipment installed in Ukraine, and to a limited extent other equipment based in Europe.
Two attacks for the price of one
The investigation into the attack revealed the attackers’ modus operandi: contrary to initial indications, it was apparently not a malicious update distributed to the attacked devices. ViaSat explains that attackers managed to exploit a configuration error in VPN equipment in order to break into the administration space of the KA-SAT network, named after the satellite used by ViaSat to connect its European customers to the Internet.
Once in place, the attackers moved until they reached a section of the network used to administer modems. They then exploited this access to send legitimate commands to a large number of modems at the same time. These commands aimed in particular to delete data present in the flash memory of the device, which were used to connect to the network.
The attackers therefore chose to conduct both a denial of service and a data deletion on the modems to disconnect users from the network.
No attribution, but few doubts
This method made it possible to disconnect a large number of modems from the Ka-sat network in the space of a few hours. ViaSat nevertheless insists that no firmware or software updates have been installed on the devices, making it possible to simply reset them to reconnect to the network.
The first public information about the attack raised the possibility of a malicious update that would have made the devices permanently unusable. ViaSat announces that it has hired the American company Mandiant to support it in its analysis of the attack, and indicates that it is also working with the police forces, the American authorities and international cybersecurity agencies on the incident.
ViaSat says it restored the stability of its network in the days following the attack. The company and its resellers have undertaken an update of the affected modems, and in some cases reshipped new replacement modems. The teams are also taking steps to strengthen network security, but don’t give technical details of those steps.
The company does not advance any element on the origin of the attack. If officially, no one has attributed this cyberattack to a specific actor, sources close to American intelligence cited by the washington post suggest that actors linked to the Russian government were involved in this incident. Several cybersecurity companies had highlighted the fact that ViaSat’s services were widely used by the Ukrainian military forces.