Introduction
In the dark corners of the digital realm, where hackers lurk like shadows, a cyber-attack had sent shockwaves through the satellite communication industry. In a brazen move, Russian hackers targeted Viasat, a leading satellite communications provider, sending the cybersecurity world into a frenzy. This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement.
Part 1: The Hackers
Picture this: a dimly lit room, filled with the hum of servers and the glow of multiple computer screens. The hackers, clad in virtual invisibility cloaks, set their sights on Viasat’s satellite infrastructure. It was a digital duel that would test the limits of cybersecurity measures.
The entry point into this high-stakes game was a subtle flaw, a vulnerability in a VPN setup in Turin. A seemingly innocuous error, yet it served as the gateway for Russian military intelligence to infiltrate Viasat’s network. Skylogic’s servers, the Gateway Earth Stations, and the Surfbeam2 modems rely on VPN appliances produced by the company Fortinet. In 2021, Fortinet disclosed an attack on their VPN “Fortigate” that exploited a vulnerability discovered in 2019. The allegedly Russian hacker group Groove stole and published credentials of almost 87,000 SSL-VPN devices. It is known that Fortinet released a patch to address the vulnerability, but it is unclear if ViaSat’s operator, Skylogic, ever deployed the patch.
Viasat reports that the attackers exploited the unpatched VPN to access Skylogic’s Gateway Earth Stations from the open internet. This access, or privilege escalation, allowed the attacker to pass the DMZ and gain access to the trust management segment of the KA-SAT network.
The hackers, now inside, navigate the digital maze, exploiting vulnerabilities and leveraging sophisticated techniques. It was a dance of ones and zeros, with the hackers manipulating the code to their advantage. In no time, they gained unauthorized access to critical systems, including those that controlled Viasat’s satellite communication infrastructure.
The brilliance of the hacker’s shines through as they pivot within the network, targeting ground stations and systems with outdated protections, tunneling their way to the Surfbeam2, SurfBeam2+ modems and other on-prem equipment physically located within Ukraine.
The attackers then infected the network server, using it to install a wiper malware on tens of thousands of KA-SAT modems which overwrote key data in the modem’s flash memory, rendering the devices unusable and in need of replacement.
The modems likely had limited or no firmware authentication requirements, therefore the attacker was able to provide a valid firmware update, installing an ELF binary that dubbed “The AcidRain wiper” which deleted data from the modem’s flash memory.
AcidRain is an ELF MIPS malware designed to wipe modems and routers. Security firm SentinelOne noticed the malware after a sample of AcidRain was uploaded to malware-detection service VirusTotal on March 15. The same sample came from Italy, where SkyLogic, the Viasat operator managing the affected network, is also based. SentinelOne says “A MIPS ELF binary was uploaded to VirusTotal from Italy with the name ‘ukrop’. Possible interpretations include a shorthand for “ukr”aine “op”eration, the acronym for the Ukrainian Association of Patriots, or a Russian ethnic slur for Ukrainians – ‘Укроп’. ”
Notably, only specific modems were targeted, suggesting a strategic selection by the hackers. This can be explained by an operator’s capability at the Gateway Earth Stations to select which of KA-SAT’s 82 geographic cells receive signal. This implies that the attacker specified which geographic cells (and their respective modems) would receive the signal with the malicious commands.
Part 2: The Users
At 7 a.m. on February 24, 2022, a seemingly ordinary day took a dark turn for a user we’ll call ‘X’. Witnessing the ominous flickering of his modem lights, each extinguishing like a digital candle in the wind, X turned on his computer to discover the news that Russian President Vladimir Putin had begun an invasion of Ukraine with airstrikes on Kyiv and many other cities. Within no time all four lights of his modem were off, meaning the device was no longer communicating with KA-SAT, Viasat Inc.’s 13,560-pound satellite floating in the sky 22,236 miles above. The way each of the connections in his community switched off one by one left him convinced that this wasn’t merely a glitch. He concluded Russia had hacked his modem.
Similarly, tens of thousands of modems in Ukraine and other parts of Europe lost internet access during the hack, many for more than a month. The attack was targeted on certain areas in Europe and it did not affect the users on other Viasat networks worldwide.
Part 3: Technical Overview
Following this, it attempts to destroy the data in the following storage device files:
This wiper iterates over all possible device file identifiers (e.g., mtdblock0 – mtdblock99), opens the device file, and either overwrites it with up to 0x40000 bytes of data or (in the case of the /dev/mtd* device file) uses the following IOCTLS to erase it: MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB. In order to make sure that these writes have been committed, the developers run an fsync syscall.
The code for both erasure methods can be seen below:
The code for both erasure methods can be seen below:
This results in the device being rendered inoperable.
Part 4: The Satellite Company
Across the ocean, Viasat staffers in the US, where the company is based, were caught by surprise. Across Europe and North Africa, tens of thousands of internet connections in at least 13 countries were going dead. Some of the biggest service disruptions affected providers Bigblu Broadband Plc in the UK and NordNet AB in France, as well as utility systems that monitor thousands of wind turbines in Germany. The most critical affected Ukraine: Several thousand satellite systems that President Volodymyr Zelenskiy’s government depended on were all down, making it much tougher for the military and intelligence services to coordinate troop and drone movements in the hours after the invasion.
A hypothesis suggests that the attack’s spillover effects in Germany and other European states are due to either an error when selecting the geographic cells that received the malicious signal, or simply the selection of cells that contained Ukrainian territory with overlap of other EU countries.
Experts weigh in, revealing the grim reality – victims of the Viasat hack were defenseless against the malware that crippled their modems. Viasat scrambles to replace over 45,000 modems, wiped clean by the hackers, exposing the fragility of even the most advanced systems. It was a wake-up call for the satellite communication industry, exposing the vulnerability of even the most advanced systems.
The aftermath serves as a resounding alarm to the satellite communication industry. In a world where cyber threats lurk around every virtual corner, no organization stands immune. The lesson is clear – the digital realm is a battleground, and without robust cybersecurity measures, the consequences can be catastrophic.
Epilogue: Mitigation Efforts
Viasat worked with Skylogic to implement several mitigation and recovery actions to restore network stability, preserve continuing service for unaffected end-customers, and mitigate or prevent similar attacks. Viasat is leveraging the lessons learned from this incident to further enhance the security features of its products. As this is an ongoing investigation, and to preserve Viasat’s and Skylogic’s ability to safely and securely provide service on the KA-SAT network, specific technical details on those mitigation actions will not be shared publicly at this time.
Throughout the investigation, Viasat continued to provide broadband services to unaffected end-customers, as well as mobility and Viasat government customers who were unaffected by this attack.
Since the attack, Viasat has worked with its distributors to restore service to all customers whose modems were rendered inoperable. Viasat has already shipped nearly 30,000 modems to distributors to bring customers back online.
What sends shivers down the industry’s spine is the simplicity of the attack. It’s not a tale of high-tech wizardry; it’s a narrative spun from exploiting human vulnerabilities through phishing and capitalizing on known weaknesses in cybersecurity defenses.
As the Viasat attack fades, the narrative echoes a warning. Satellite and space companies worldwide must fortify their defenses. In an era where the digital realm is a battlefield, the stakes are high, and the need for cybersecurity measures has never been more pressing.
“The Viasat saga stands as a stark reminder – in the digital realm, no organization stands immune, and vigilant cybersecurity measures are imperative to safeguard critical assets.”
References
- https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview
- https://www.bloomberg.com/features/2023-russia-viasat-hack-ukraine/
- https://www.wired.com/story/viasat-internet-hack-ukraine-russia/
- https://au.pcmag.com/security/93240/viasat-hack-tied-to-data-wiping-malware-designed-to-shut-down-modems
- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
- https://www.researchgate.net/publication/363558808_Space_Cybersecurity_Lessons_Learned_from_The_ViaSat_Cyberattack
- https://media.defense.gov/2022/Jan/25/2002927101/-1/-1/0/CSA_PROTECTING_VSAT_COMMUNICATIONS_01252022.PDF
- https://www.reuters.com/business/media-telecom/exclusive-hackers-who-crippled-viasat-modems-ukraine-are-still-active-company-2022-03-30/
- https://www.virustotal.com/gui/file/9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a/details