On February 24, 2022, on the eve of Russia’s invasion of Ukraine, KA-band satellite provider Viasat became the first prominent victim of Russian cyber aggression when a wiper attack turned off tens of thousands of Viasat’s government and commercial broadband customers’ modems.
At this year’s Black Hat and DEF CON conferences, Viasat representatives spelled out how the attack occurred, highlighting the incident response lessons they learned.
In the Black Hat talk, Mark Colaluca, vice president and CISO at Viasat Corporate, and Kristina Walker, who was the chief of defense industrial-based cybersecurity within the National Security Agency’s (NSA) Cybersecurity Collaboration Center (CCC), provided the detailed steps that took place before the modems became inoperable, during the attack, and afterward, relying in part on what subsequent investigations revealed.
How the Viasat attack unfolded
According to Colaluca, on February 23, at around 5 p.m. local time, before the modems were disabled, someone attempted to log into a Viasat appliance using several sets of valid credentials, although those attempts failed. An hour later, “there was a successful unauthorized access through that VPN, which landed in the core node, but nothing happened,” at least initially, Colaluca said. About two hours after that, the attackers accessed the management server that was in place inside the core node with a different set of credentials.
“From that point, over the next three to four hours, the attackers did a couple of things,” Colaluca said. “One, they went to a network operations server that was present there, and its primary purpose was modem diagnostics, modem health, and how many modems are online. So that server had access to all the modems in the network in those two partitions, and they did recon work.”
The attack appeared targeted, with the attackers seeking particular sets of modems in certain regions for specific customers and specific functions, learning how many modems were online. An hour later, at about midnight, the attackers accessed Viasat’s FTP server, a part of the infrastructure that delivers new software or updates to the modems. They dropped a wiper binary along with scripts to enumerate the network, interrogate it, and report back the status after the scripts completed execution.