Western powers blame Russia for Ukraine satellite hack
The United States and European allies on Tuesday blamed Russia for an “unacceptable” cyberattack on satellite internet provider Viasat in February.
The U.S. "is sharing publicly its assessment that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries," Secretary of State Antony Blinken said in a statement.
The hack, which occurred just an hour before Moscow began its invasion of the former Soviet satellite state, is "yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” the EU said in a statement.
The bloc is “considering further steps to prevent, discourage, deter and respond to such malicious behaviour in cyberspace,” it added.
The EU, U.K. and U.S. statements did not link the attack to a specific element of the Russian military or its intelligence agencies. EU member Estonia attributed it to the GRU, the Russian military's main intelligence directorate. Cybersecurity researchers have noted similarities between code used in the Viasat attack and other malware linked to GRU hackers.
The assault on Viasat’s KA-SAT satellite disabled the modems of tens of thousands of European customers and posed a serious threat to Ukraine as it prepared to defend itself against Russian forces. The incident also disconnected remote access to around 5,800 wind turbines in Germany that relied on Viasat routers for remote monitoring and control.
The company issued an analysis of the incident in March that found tens of thousands of terminals could not be repaired. Meanwhile, Viasat said it had shipped roughly 30,000 new routers to customers to bring them back online. The company confirmed that the attackers used wiper malware that cybersecurity researchers labeled AcidRain.
Viasat took a more cautious tone than the government agencies in its own statement Tuesday.
"We recognize international governments have identified who they believe to be responsible for the cyberattack on the KA-SAT network," the company said. "We have and will continue to work closely with relevant law enforcement and governmental authorities as part of the ongoing investigation."
'Deliberate and malicious'
In its statement, the U.K.’s National Cyber Security Centre said Russian military intelligence was “almost certainly” behind the defacements of Ukrainian government websites in January — the U.S. attributed the attacks to the Kremlin in February — and the deployment of Whispergate destructive malware prior to the invasion.
U.K. Foreign Secretary Liz Truss called the Viasat incident a “deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe.”
In March, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory in the wake of the Viasat disruption, alerting companies to take proper steps to prepare for similar incidents.
“Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks,” it warned. “Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic.”
In addition to Blinken's statement, the State Department issued a fact sheet detailing recent U.S. cyber aid to Ukraine, including briefings and intelligence sharing by the FBI and CISA; providing technical experts to help the government and critical infrastructure defenders; equipment procurement assistance and secure communications.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.