Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Viasat Traces Outage to Exploit of VPN Misconfiguration
About 30,000 Modems Knocked Offline as Russian Forces Began Invasion of UkraineTens of thousands of modems were knocked offline in central Europe at nearly the same time Russian forces invaded Ukraine on Feb. 24.
See Also: Gartner Market Guide for DFIR Retainer Services
The outage affected infrastructure run by communications company Viasat, based in Carlsbad, California. Four days later, the company reported that it was investigating the outage, which it says affected "fixed broadband customers" (see: Russia May Have Caused Widespread Satellite Network Outage).
On March 17, the U.S. government warned that it is "aware of possible threats to U.S. and international satellite communication networks." So far, neither the U.S. nor the Ukrainian government have attributed the attack to any individual or nation-state, although Russia or a close ally remain obvious suspects.
On Wednesday, Viasat published an update on its probe of the outage, which affected some users of the KA-SAT satellite communications, or SATCOM, network it operates. Specifically, it says attackers knocked offline approximately 30,000 residential broadband modems sold under the Tooway brand, and provided by Italy-based Skylogic, which is a subsidiary of French satellite operator Eutelsat.
"This cyberattack did not impact Viasat's directly managed mobility or government users on the KA-SAT satellite," Viasat says in its overview and incident report. "Similarly, the cyberattack did not affect users on other Viasat networks worldwide."
Viasat, which provides the modems on a wholesale basis to distributors, says it has already shipped 30,000 replacement modems and that more are available if required. The company says the original modems were not destroyed or bricked, but rather knocked offline via a series of commands sent by attackers.
In some cases, distributors have been able to issue over-the-air updates to the modems that have brought them back online, Viasat says, "but where such updates are insufficient to timely restore functionality, new modems are being provided as the most efficient way to restore service."
Viasat has hired digital forensics investigation firm Mandiant to probe the attack and says it and Eutelsat/Skylogic are assisting an ongoing, international law enforcement and cybersecurity agency investigation into the attack.
Attackers Exploited VPN Misconfiguration
The network disruption began Feb. 24 at 5:02 a.m. local time in Ukraine, when Viasat says "high volumes of focused, malicious traffic" began to be issued by two of the Skybeam modems sold under the Tooway brand, which were part of the Skylogic network and supported via a consumer-focused network segment. It says the denial-of-service attack made it difficult for other modems to connect, after which they were forced offline.
On March 15, Ukrainian cybersecurity official Viktor Zhora told reporters the disruption was "a really huge loss in communications in the very beginning of war," as Reuters reported of his press conference.
Viasat's Wednesday update provides a closer look at what happened.
"Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network," Viasat says.
"The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously," it adds. "Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."
'Less Sophisticated Than Expected'
One takeaway from the new breach report is that the attack was "significantly less sophisticated than expected, and required less preparation than assumed," says Thomas Rid, a professor of strategic studies at Johns Hopkins University.
Namely, the attack involved "no supply chain compromise, no modified firmware, no irreparable damage," he tweets.
Viasat's incident summary, key part in the last paragraph: initial breach via misconfigured VPN appliance, sabotage via "legitimate, targeted management commands on a large number of modems" pic.twitter.com/8GlsgC2wFY— Thomas Rid (@RidT) March 30, 2022
A Viasat official says the company continues to defend against active attempts to further disrupt its network.
"We're still witnessing some deliberate attempts," the official, speaking on condition of anonymity, told Reuters on Tuesday.
Viasat has new defenses in place, and attackers continue to try and work around them. "We've been seeing repeated attempts by this attacker to alter that pattern to test those new mitigations and defenses," the company official told Reuters.
No Attack Attribution - Yet
No government has yet attributed the attacks.
On Friday, The Washington Post quoted unnamed U.S. officials who said they suspected that Russian military intelligence officers were behind the disruption.
But attribution remains a political exercise, and governments typically only attribute attacks when it's advantageous to do so.