Hackers exploited a misconfigured VPN device to gain access to Viasat's satellite network and cause a massive internet outage in Europe right as Russia began to invade Ukraine.
US-based Viasat today published a detailed report on the Feb. 24 cyberattack that shut down internet access for “several thousand customers” in Ukraine and tens of thousands more in Europe.
According toThe Washington Post, US intelligence suspects Russian military hackers pulled off the disruption. Viasat didn’t assign blame, but the company said the attack targeted network infrastructure that French satellite company Eutelsat has been operating on behalf of Viasat.
“This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl,” the company explained.
Viasat added: “Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”
This gave the hackers the ability to tamper with the satellite network. They executed “legitimate, targeted management commands” but across a large number of residential modems simultaneously. The result knocked many of the modems offline.
"Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable,” Viasat said.
“Ultimately, tens of thousands of modems that were previously online and active dropped off the network, and these modems were not observed attempting to re-enter the network,” the company added. “The attack impacted a majority of the previously active modems within Ukraine, and a substantial number of additional modems in other parts of Europe.”
However, the company found no evidence the hackers ever compromised user data or customer hardware. “Nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired, or compromised,” Viasat said. Instead, the company has concluded the attack's goal was to interrupt internet access.
To restore the internet satellite service, Viasat has been issuing over-the-air updates to the affected modems. The company has also shipped nearly 30,000 new modems to distributors to help bring customers back online.
“Viasat is leveraging the lessons learned from this incident to further enhance the security features of its products,” the company added. It’s also continuing to work with law enforcement to investigate the attack.
It’s unclear what misconfiguration the hackers exploited in the VPN device. But US cyber authorities have routinely warned about hackers targeting known flaws in VPN systems to break into company networks.
"Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors," the NSA and the Cybersecurity and Infrastructure Security Agency wrote last September.