Russian cyber aggression made its first major impact on February 24, 2022, as Viasat, a KA-band satellite provider, fell victim to a wiper attack. This attack resulted in the deactivation of tens of thousands of modems used by Viasat’s government and commercial broadband customers. The incident shed light on the dangers of cyber threats and prompted Viasat representatives to share their experiences and lessons learned at the recent Black Hat and DEF CON conferences.
During the Black Hat talk, Mark Colaluca, the Vice President and Chief Information Security Officer at Viasat Corporate, along with Kristina Walker, the former Chief of Defense Industrial-Based Cybersecurity at the National Security Agency (NSA)’s Cybersecurity Collaboration Center, provided an in-depth account of the attack and the subsequent incident response.
Colaluca explained that on February 23, around 5 p.m. local time, an attempted login using various valid credentials was made on a Viasat appliance. Although these attempts proved unsuccessful, an hour later, unauthorized access was achieved through the Virtual Private Network (VPN) into the core node. However, no immediate actions were taken by the attackers. It wasn’t until two hours later that the attackers managed to gain access to the management server within the core node using a different set of credentials.
From there, the attackers proceeded to carry out several actions over the next three to four hours. They targeted a network operations server responsible for modem diagnostics, health monitoring, and determining the number of modems online. This server provided the attackers with valuable reconnaissance information, allowing them to identify specific modems in certain regions and for specific customers and functions. Around midnight, the attackers accessed Viasat’s File Transfer Protocol (FTP) server, which is used to deliver software updates to the modems. They introduced a wiper binary and scripts designed to gather network status information after execution.
The attack showcased a high level of sophistication and intent. The attackers meticulously planned their actions to maximize the impact on Viasat’s operations. By targeting specific sets of modems, they aimed to disrupt services for certain customers and functions. This level of precision suggests a deep understanding of Viasat’s network architecture and the potential vulnerabilities associated with it.
Following the attack, Viasat implemented extensive incident response measures. They conducted forensic investigations to identify the extent of the breach and take the necessary steps to remediate the damage. Project teams were established to mitigate the effects of the attack on government and commercial broadband users. Additionally, the company employed external security partners to enhance their cyber defense capabilities and ensure the security of their infrastructure moving forward.
The Viasat incident serves as a stark reminder of the evolving nature of cyber threats and the potential consequences they can have on critical infrastructure and services. It highlights the need for organizations to constantly stay vigilant, improve their incident response capabilities, and collaborate with the wider cybersecurity community to share best practices and lessons learned.
As the world becomes increasingly interconnected, the risk of cyber attacks targeting essential services grows. Governments and industry leaders must prioritize cybersecurity and allocate sufficient resources to prevent and respond to these threats effectively. The Viasat attack, though disruptive and damaging, provides an opportunity for the cybersecurity community to learn from the incident and strengthen defenses against future attacks.