NCSC pins Viasat cyber attack on Russia

The National Cyber Security Centre (NCSC), alongside the European Union (EU) and US authorities, have formally attributed the 24 February 2022 cyber attack on the systems of Viasat, a satellite networking services provider, to Russian military intelligence, confirming previous speculation that this was the case.

The cyber attack, which started approximately an hour prior to the initial Russian attack on Ukraine, is believed to have primarily targeted Ukrainian military users of the Viasat KA-SAT network. However, it also caused service outages for thousands of users in Ukraine, and disrupted services in several other central European states.

“This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine, which had significant consequences on ordinary people and businesses in Ukraine and across Europe,” said foreign secretary Liz Truss.

“We will continue to call out Russia’s malign behaviour and unprovoked aggression across land, sea and cyber space, and ensure it faces severe consequences.”

An EU spokesperson said: “This unacceptable cyber attack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyber space, which also formed an integral part of its illegal and unjustified invasion of Ukraine. Such behaviour is contrary to the expectations set by all UN member states, including the Russian Federation, of responsible state behaviour and the intentions of states in cyber space.

“Cyber attacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk,” said the spokesperson.

“The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behaviour in cyber space. The European Union will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.

“Russia must stop this war and bring an end to the senseless human suffering immediately,” they added.

Viasat said the attack was localised to a consumer-oriented partition of its KA-SAT network that is operated on its behalf by a Eutelset subsidiary, Skylogic, under a transition agreement, having recently acquired the wholesale broadband services business it had run with Eutelsat.

Viasat believes the attackers were able to exploit a misconfigured VPN appliance to obtain remote access to the trusted management segment of the KA-SAT network.

From there, they moved laterally to a specific network segment that is used to manage and operate the network, and exploited this to execute management commands to SurfBeam2 and SurfBeam 2+ residential modems, which overwrote key data in flash memory on the modem and left them unable to access the network.

The affected modems can be restored by a factory reset, but as a precaution, Viasat is understood to have shipped more than 30,000 replacement devices to bring customers back online.

Its investigation, which is being assisted by Mandiant, is ongoing.