Malicious Update Anchors Ukraine War’s Worst Cyber ​​Attack

A malicious software update that crippled tens of thousands of modems across Europe anchored the cyberattack on a satellite network used by Ukraine’s government and military just as Russia invaded, the satellite owner announced on Wednesday.

The owner, the US-based company Viasat, for the first time provided details on the course of the most serious known cyber attack of the Russia-Ukraine war. The wide-ranging attack affected users from Poland to France and was noticed almost immediately, disrupting remote access to thousands of wind turbines in central Europe.

Viasat did not say in its statement who it believes to be responsible for the attack. Ukrainian officials blame Russian hackers.

The Viasat attack, which happened just as Russia launched its invasion, was seen by many at the time as a harbinger of serious cyberattacks that could spread beyond Ukraine. Such attacks have not yet occurred, although security researchers say the most effective war-related cyber operations are likely to take place in the shadows and focus on intelligence gathering.

A number of smaller attacks were carried out against both Russia and Ukraine, many of which appear to have been carried out by volunteers. A sustained barrage of malicious hacking attacks, which Ukrainian officials and cybersecurity researchers blame on Russia-linked attackers, has plagued Ukraine during the more than month-long conflict. One of the most serious hacks left internet and mobile service at a major telecom company that serves the military, Ukrtelecom, down for most of Monday.

On Wednesday, Google announced that it had identified a state-backed Russian hacking group involved in a credential phishing campaign targeting the military of several Eastern European countries and a NATO think tank. It is not known whether any of the targets were successfully compromised.

The attack on the KA-SAT satellite network has shown how vulnerable commercial satellite networks serving both military and non-military customers can be, with the impact felt by individuals and businesses far from the battlefield.

It began in the early hours of February 24 with a distributed denial of service attack that took a large number of modems offline. A destructive attack followed, in which a malicious software command sent over the network rendered tens of thousands of modems across Europe inoperable by overwriting their internal memory, Viasat said. “We believe the purpose of the attack was to disrupt service,” it said.

It said it had shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for home broadband internet access.

The attack caused a major loss of communications in Ukraine in the early hours of the Russian invasion, Ukraine’s top cybersecurity official Victor Zhora told reporters earlier this month. When asked by The Associated Press last week who was responsible, Zhora said: “We don’t have to attribute it as we have obvious evidence that it was organized by Russian hackers to cut the connection between customers who were using this.” Use satellite system.”

He said he had no information on whether service had been restored and could not say which Ukrainian bodies outside the military were affected. However, contracts show that Zhora’s own agency, the State Service for Special Communications, is among the clients, which also include police departments and municipalities. Viasat said “several thousand customers” in Ukraine were affected.

Carlsbad, California-based Viasat said the initial denial-of-service attack originated from modems in Ukraine. It didn’t specify how the destructive malware entered the network, except that a “misconfiguration” was compromised in a virtual private network appliance that allowed the attackers to gain remote access from the internet to a “trusted” management console used to manage of the satellite network is used.

From there, the attackers were able to simultaneously send the destructive command to modems across Europe, rendering them useless but not permanently unusable, Viasat said.

It was not known how the attackers got into the VPN appliance. For satellite cybersecurity researcher Ruben Santamarta, it was important to know if they had obtained credentials or exploited a known vulnerability. Viasat declined to provide details on Wednesday, citing an ongoing investigation.

The ground-based network is operated by Skylogic, an Italy-based subsidiary of Eutelsat, from which Viasat bought the KA-SAT satellite in April last year.

The investigation into Viasat’s attack was conducted by US cybersecurity firm Mandiant.

Leave a Reply

Your email address will not be published.