Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Viasat Traces Outage to Exploit of VPN Misconfiguration

About 30,000 Modems Knocked Offline as Russian Forces Began Invasion of Ukraine
Viasat Traces Outage to Exploit of VPN Misconfiguration
Viasat's "KA-SAT Network cyberattack overview"

Tens of thousands of modems were knocked offline in central Europe at nearly the same time Russian forces invaded Ukraine on Feb. 24.

See Also: The State of Organizations' Security Posture as of Q1 2018

The outage affected infrastructure run by communications company Viasat, based in Carlsbad, California. Four days later, the company reported that it was investigating the outage, which it says affected "fixed broadband customers" (see: Russia May Have Caused Widespread Satellite Network Outage).

On March 17, the U.S. government warned that it is "aware of possible threats to U.S. and international satellite communication networks." So far, neither the U.S. nor the Ukrainian government have attributed the attack to any individual or nation-state, although Russia or a close ally remain obvious suspects.

On Wednesday, Viasat published an update on its probe of the outage, which affected some users of the KA-SAT satellite communications, or SATCOM, network it operates. Specifically, it says attackers knocked offline approximately 30,000 residential broadband modems sold under the Tooway brand, and provided by Italy-based Skylogic, which is a subsidiary of French satellite operator Eutelsat.

"This cyberattack did not impact Viasat's directly managed mobility or government users on the KA-SAT satellite," Viasat says in its overview and incident report. "Similarly, the cyberattack did not affect users on other Viasat networks worldwide."

Viasat, which provides the modems on a wholesale basis to distributors, says it has already shipped 30,000 replacement modems and that more are available if required. The company says the original modems were not destroyed or bricked, but rather knocked offline via a series of commands sent by attackers.

In some cases, distributors have been able to issue over-the-air updates to the modems that have brought them back online, Viasat says, "but where such updates are insufficient to timely restore functionality, new modems are being provided as the most efficient way to restore service."

Viasat has hired digital forensics investigation firm Mandiant to probe the attack and says it and Eutelsat/Skylogic are assisting an ongoing, international law enforcement and cybersecurity agency investigation into the attack.

Attackers Exploited VPN Misconfiguration

The network disruption began Feb. 24 at 5:02 a.m. local time in Ukraine, when Viasat says "high volumes of focused, malicious traffic" began to be issued by two of the Skybeam modems sold under the Tooway brand, which were part of the Skylogic network and supported via a consumer-focused network segment. It says the denial-of-service attack made it difficult for other modems to connect, after which they were forced offline.

On March 15, Ukrainian cybersecurity official Viktor Zhora told reporters the disruption was "a really huge loss in communications in the very beginning of war," as Reuters reported of his press conference.

Source: FBI and U.S. Cybersecurity and Infrastructure Security Agency security alert - March 15, 2022: "Strengthening Cybersecurity of SATCOM Network Providers and Customers"

Viasat's Wednesday update provides a closer look at what happened.

"Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network," Viasat says.

"The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously," it adds. "Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."

'Less Sophisticated Than Expected'

One takeaway from the new breach report is that the attack was "significantly less sophisticated than expected, and required less preparation than assumed," says Thomas Rid, a professor of strategic studies at Johns Hopkins University.

Namely, the attack involved "no supply chain compromise, no modified firmware, no irreparable damage," he tweets.

A Viasat official says the company continues to defend against active attempts to further disrupt its network.

"We're still witnessing some deliberate attempts," the official, speaking on condition of anonymity, told Reuters on Tuesday.

Viasat has new defenses in place, and attackers continue to try and work around them. "We've been seeing repeated attempts by this attacker to alter that pattern to test those new mitigations and defenses," the company official told Reuters.

No Attack Attribution - Yet

No government has yet attributed the attacks.

On Friday, The Washington Post quoted unnamed U.S. officials who said they suspected that Russian military intelligence officers were behind the disruption.

But attribution remains a political exercise, and governments typically only attribute attacks when it's advantageous to do so.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.