NSA, Viasat say 2022 hack was two incidents; Russian sanctions resulted from investigation

LAS VEGAS — Officials from the National Security Agency (NSA) and satellite internet provider Viasat provided new details on the headline-grabbing cyberattack on the company at the onset of Russia’s invasion of Ukraine.

Mark Colaluca, vice president and chief information security officer at Viasat, spoke alongside Kristina Walter, chief of Defense Industrial Base (DIB) Cybersecurity at the NSA, at the Black Hat conference on Thursday.

The two outlined the details of the run-up to the attack, lessons learned from the incident and more.

The cyberattack last February left Viasat’s KA-SAT modems inoperable in Ukraine. The attack had several other downstream effects, causing the malfunction of 5,800 Enercon wind turbines in Germany and disruptions to thousands of organizations across Europe.

According to U.S. and European Union officials, the attack on Viasat was intended to degrade the ability of the Ukrainian government and military to communicate.

Colaluca said that Viasat’s KA-SAT network serves more than 100,000 customers located across Europe and the Middle East. The company offers both broadband and satellite connectivity but the attack, attributed to Russian hackers, targeted broadband customers.

Colaluca revealed during the talk that it was actually two separate attacks that disrupted the company’s operations.

“In some cases, it was very sophisticated and they had a deep understanding of how our network worked,” he said.

“In other cases, they took great advantage of the tools and capabilities that were in place to execute the attack without having to do much on their own. One of our biggest lessons learned is that the part of the attack that didn't require a ton of sophistication – with a little bit more hygiene and a few extra things – probably could have been mitigated.”

On February 23, hackers targeted a management center in Turin, Italy – targeting a VPN installation that provided network access to administrators and operators.

At 5 p.m. local time, analysis showed hackers tried to log into the VPN but failed several times before successfully gaining access. The hackers made their way to management servers that gave them widespread access to information about how many of the company’s modems were online and more.

After a few hours, the hackers accessed another server that delivered software updates to the modems – which allowed them to deliver the wiper malware that researchers publicly identified last year.

The attack took 40,000 to 45,000 modems offline, thousands of which never resumed operation.

Colaluca explained that from there, he began communicating with Walter at the NSA due to a deluge of requests from government agencies across Europe and other regions. Part of why Viasat struggled to respond to the incident is because almost all of the affected modems were in Europe, while the company is based in the U.S. — the company’s products are sold through distributors who install it for European customers.

But right as they began to pull in the NSA, a second attack began, with hackers flooding Viasat’s systems with requests, overloading their systems.

The hackers managed to take over thousands of modems and used them to overwhelm the incident responders. The attack made it so that anyone who was trying to restore their modem could not get it back up and running.

When Colaluca put in place measures to stop that attack, the hackers shifted tactics, going after specific terminals in an effort to keep them offline. Colaluca would not say where these terminals were located but previous reports indicate most were in Ukraine.

He explained that the majority of the affected modems were in certain “specific regions” or were with certain customer groups and certain functions. The attackers “had specific targets in mind” but he declined to dive deeper into who exactly was targeted.

“We had residential subscribers that wanted to know ‘where's my service?’ We had a big large wind farm that depended on this service, unbeknownst to us. We had commercial airlines all over the world. We had government networks all around the world asking if their network was impacted,” he said.

“They all wanted an update. We had foreign government entities and security and intelligence services I've never even met. I don't speak their language and they're asking for hourly updates. So what we ended up doing was Viasat was the primary conduit for our customers and our partners and we relied on the [NSA] to be our primary conduit for all U.S. government and entities as well as foreign government or allied partners.”

Colaluca noted that even after getting their systems back up and running, they faced several other incidents and continue to be attacked even into 2023.

But the hackers now have to pivot far more often because of their improved network hygiene – which is a direct result of the fact that Viasat effectively had to rebuild its network from the ground up after the 2022 attack, he explained.

He noted that the company is operating under the assumption that the hackers will come back.

“We fully expect them to come back. Part of the other mitigation that we did is we ended up transferring this set of services to brand new infrastructure, so we've kind of rebuilt a whole ton of infrastructure from scratch over the last six months,” he said.

There are still aspects of the attack that are unexplained, Colaluca said, telling the audience that they still do not know how Russian hackers gained their initial access to the VPN system. They did not use a zero-day vulnerability and did not exploit default passwords, he said, briefly noting that they have also looked into the idea that it may have been an insider attack.

Attribution and sanctions

Walter from the NSA said much of their work was coordinating with other U.S. agencies and protecting other satellite providers out of fear that Russian hackers would launch further attacks.

They released guidance and warnings a month later, urging international satellite communication network providers and customers to stay alert for possible threats and begin implementing a new set of mitigations.

She added that the NSA spent months working to definitively attribute the hack to Russian actors in an effort to help arms of the U.S. government implement sanctions that could punish the hackers for the attack.

The U.S. and European countries handed down several sanctions on Russia the same week as the attribution was made in May 2022.

“When you saw that May 10 announcement [attributing the attack to Russia], they came with a second round of sanctions on Russia. And we've seen that those were actually effective in financially burdening the country,” she said, later confirming that while the sanctions released that week were not explicitly tied to the Viasat hack, they were a result of the attribution.

“That was what we were trying to inform policymakers to do, so that they can make those strategic decisions as to how we want to support Ukraine in the invasion.”