Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Viasat Cyberattack Attributed to Russia by EU, UK and US
Russia Continues Its Cyber Offensive, Launches New DDoS Attacks on UkraineWho disrupted a satellite communications network used across Eastern Europe and beyond?
See Also: A Strategic Roadmap for Zero Trust Security Implementation
According to the EU, Viasat's KA-SAT satellite communications network suffered an outage on Feb. 24 at 5:02 a.m. local time in Ukraine, an hour before the Russian invasion began. The company later confirmed it to be a cyberattack, but did not identify the attacker (see: Viasat Traces Outage to Exploit of VPN Misconfiguration). The U.S., U.K., EU and Ukraine have now attributed this attack to Russia, which continues its cyber offensive against Ukraine, including other wiper and DDoS attacks.
The Viasat Attack
The outage affected more than 30,000 consumer broadband modems across central Europe, including Ukraine. "Tens of thousands of terminals have been damaged, made inoperable and cannot be repaired," Viasat said at the time.
The U.K. government, in a public statement issued on Tuesday, described the primary objective of this cyberattack as "targeting of Ukrainian military." But the attack spilled over to other parts of Europe and affected other customers, including personal and commercial internet users, both the U.K. and the U.S. say. "Wind farms in central Europe and internet users were also affected," the U.K. government says.
Researchers from SentinelOne concurrently found that the disruption of tens of thousands of Viasat consumer broadband modems could have been linked to a wiper malware dubbed as AcidRain, which the company also confirmed (see: Viasat Confirms 'AcidRain' Malware Could Have Wiped Modems)
In its analysis, SentinelOne researchers say that "a wiper for this kind of device would overwrite key data in the modem's flash memory, rendering it inoperable and in need of reflashing or replacing," which corroborated Viasat's findings.
Viasat also confirmed in a statement at the time that the initial breach had taken place via a misconfigured VPN appliance, and the sabotage continued via "legitimate, targeted management commands on a large number of modems."
The satellite broadband communication provider found that the quickest path to recovery and getting the services back online for affected consumers was distribution of replacement modems, which happened until the end of March, the company says. It says it provided its distributors with 30,000 replacement modems and that more were available if required.
Attribution to Russia
At the time, none of the governments - including Ukraine - attributed the attacks to any threat actor or nation-state, but they said it was likely that Russia or its allies had been involved. On Tuesday, however, the U.S., U.K., EU and Ukraine all attributed this particular malicious incident to Russia, calling it an "aggressor country in cyberspace."
The State Service of Special Communication and Information Protection of Ukraine says that Russia has been using "unjustified aggression" in cyberspace for at least eight years now.
"Their activity is constantly growing. Today, cyberattacks are a full-fledged component of Russia's war against Ukraine. Since the beginning of the year, Russian military hackers have been attacking Ukrainian information systems. Their goal is to damage and destroy them, prevent Ukrainian citizens from accessing public services, destabilize the situation in the country, and sow panic and distrust of the authorities among the population," the SSSCIP says.
U.K. Secretary of State for Foreign, Commonwealth and Development Affairs Liz Truss says, "This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine, which had significant consequences on ordinary people and businesses in Ukraine and across Europe. We will continue to call out Russia's malign behavior and unprovoked aggression across land, sea and cyberspace, and ensure it faces severe consequences."
In a press briefing held on Tuesday, U.S. Department of State spokesperson Ned Price also acknowledged the cyberattack against commercial satellite communications networks as an effort to disrupt Ukrainian command and control during the invasion. He condemned the actions of Russia in cyberspace and called it "irresponsible."
The European Union also strongly condemned the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the KA-SAT network, operated by Viasat. It called Russia's aggression "unprovoked and unjustified." "This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine," the EU says.
Tactics and Attacks Used
Apart from the satellite attack, the U.S. State Department, in its press release, mentions various vectors and tactics that the Russians have used since the beginning of the year in the lead-up to the war. They include website defacements, distributed denial-of-service attacks, and cyberattacks to delete data from computers belonging to government and private entities - "all part of the Russian playbook," the U.S. State Department says.
It also says that during the same time period, Russia launched several families of malicious software in Ukraine, including WhisperGate aka WhisperKill, CaddyWiper, Hermetic Wiper, Industroyer2, and DoubleZero, among others.
The SSSCIP says that the intent behind deploying these data wipers is simply to destroy data. "With the help of [these] cyberattacks," it says, "Russia wants to create a humanitarian catastrophe in Ukraine, because hackers are trying to hinder the work of the energy sector, emergency services, communications, and logistics."
Among the most recent attacks, on Tuesday the SSSCIP reported a massive DDoS attack aimed at the websites of leading Ukrainian telecommunication companies.
#russianhackers have landed a massive DDoS attack on Ukrainian telecom operators’ websites on the Victory Day #Ukraine #WARINUKRAINE #UkraineRussiaWar #cyberwar #CyberSecurity https://t.co/ia2xyA4aa4
— SSSCIP Ukraine (@dsszzi) May 10, 2022
The DDoS attack was likely intended as yet another psychological operation against Ukrainians, the SSSCIP says.
"Despite partial unavailability of the attacked companies' websites, their networks are functioning without a hitch, [however,] some users may experience insignificant reductions of internet access quality, the SSSCIP says. But as a whole, the SSSCIP notes, "this DDoS attack had practically no effect on the daily activity of these companies, nor delivery of services to their clients."
The National Center for Operations and Technology Management of Telecommunications Networks, acting under the SSSCIP, is currently ensuring that the whole range of network management activities during wartime are working efficiently and so far, "[the] satellite broadcasting is operating steadily," the SSSCIP says.
In a report shared with ISMG, the SSSCIP says the number of cyberattacks has more than doubled since the beginning of the full-scale Russian military invasion of Ukraine. According to the Computer Emergency Response Team of Ukraine, 551 cyberattacks have been detected in the last two and a half months.
US Provides Connectivity and Cybersecurity Support
The U.S. Department of State, in a separate statement published on Tuesday, laid out the initiatives that the U.S. has taken in support of the connectivity and cybersecurity needs of Ukraine. They include:
FBI intelligence sharing: The FBI has provided direct support to its Ukrainian national security and law enforcement partners, including information sharing on Russian intelligence services' cyber operations, cyberthreat intelligence of potential or ongoing malicious cyber activity, helping to disrupt nation-state efforts to spread disinformation and target the Ukrainian government and military, and sharing investigative methods and cyber incident response best practices.
It has also assisted Ukraine with identifying and procuring hardware and software to support network defense.
USAID's cyber resilience: Technical experts funded by the U.S. Agency for International Development are providing hands-on support to essential service providers within the Ukrainian government, including government ministries and critical infrastructure operators, to identify malware and restore systems after an incident has occurred. This support builds on long-standing USAID support in building cyber resilience among regional utilities, particularly in the energy sector.
USAID says it has also provided more than 6,750 emergency communications devices, including satellite phones and data terminals, to essential service providers, government officials and critical infrastructure operators in key sectors such as energy and telecommunications.
DOE's support of the energy sector: The U.S. Department of Energy and other interagency partners are said to be working with Ukraine on integrating Ukraine's electrical grid with the European Network of Transmission System Operators for Electricity - or ENTSO-E - including meeting cybersecurity requirements and enhancing the resilience of its energy sector. "Full ENTSO-E integration is key to protecting Ukraine’s financial, energy, and national security," the State Department says.
CISA's resource sharing: The U.S. Cybersecurity and Infrastructure Security Agency has established an exchange policy for technical information sharing on cybersecurity threats related to Russia's invasion of Ukraine with key partners, including Ukraine.
Support for the banking sector: Prior to the war, the U.S. Department of the Treasury worked with the National Bank of Ukraine, via the Software Engineering Institute, to support NBU's Computer Security Incident Response Team to improve cybersecurity information sharing in Ukraine's financial services sector. The Treasury then offered NBU assistance with specific cybersecurity issues to better ensure the cyber resilience of Ukraine's financial sector during and after the war.
U.S. Cyber Command chipping in: Between December 2021 and February, the U.S., alongside Ukrainian Cyber Command, conducted defensive cyber operations as part of a wider effort to increase cyber resilience in Ukraine’s critical networks (see: US Sends Top Cyber Official to Europe Amid Ukraine Crisis). The team also provided remote analytic and advisory support aligned to critical networks from outside Ukraine.