The cyber landscape witnessed a profound incident on February 24, 2022, when Russian hackers targeted Viasat, disrupting the critical communications of tens of thousands of satellite broadband modems amid the Ukraine war. This event was marked as one of the first significant cyberattacks of the conflict, leaving Viasat with 40,000 to 45,000 unusable modems. Insights pertaining to this incident were recently shared by Viasat executives and members of the National Security Agency (NSA) at the Black Hat and DEF CON cybersecurity conferences.
Mark Colaluca, Viasat's Vice President and CISO, along with Kristina Walker from NSA’s Cybersecurity Collaboration Center (CCC), gave an in-depth analysis of the attack's chronology. They discussed the prelude, execution, and aftermath of the unprecedented hacking incident at their conference presentations.
Recalling the sequence of events, Colaluca detailed that on February 23 at approximately 5 p.m. local time, unauthorized login attempts were made using valid credentials. This led to a successful breach via a VPN an hour later, which infiltrated the core node of Viasat’s system, although no immediate actions were taken at that point. "There was a successful unauthorized access through that VPN, which landed in the core node, but nothing happened," Colaluca explained.
"There was a successful unauthorized access through that VPN, which landed in the core node, but nothing happened,"
As the night progressed, the intruders escalated their access, infiltrating a management server integral to maintaining modem functionality. Colaluca stated, "Over the next three to four hours, the attackers did a couple of things...they went to a network operations server that was present there, and...did recon work.” This reconnaissance was aimed at identifying specific modems to target, creating a tailored assault rather than a broad attack.
The attackers' next step was accessing Viasat's FTP server, where they introduced a wiper binary and scripts designed to disrupt network functionality. In a matter of hours, the malicious code wiped the flash memory of the targeted modems, rendering them entirely inoperable. This led to a drastic drop in network traffic, as Colaluca noted: "pretty much the traffic goes to zero as a bunch of modems go offline."
Walker’s insights highlighted the NSA’s preemptive stance in monitoring potential threats leading up to the cyberattack. She mentioned, "We were tracking that there would be specific industry partners that may be targeted... This was not something we were expecting,” pointing to the unexpected nature of the assault amid heightened geopolitical tensions.
Viasat’s incident response team, while engaged in recovery efforts, leaned on established relationships with government agencies. "We were trying to answer three questions: What happened, and who did it? Are other systems that we depend on as a United States government going to be vulnerable? And can we get out mitigations... to the community?" said Walker.
Race Results
Colaluca further revealed an unreported aspect of the attack; the exploitation of DHCP vulnerabilities that resulted in a flood of requests crippling Viasat’s systems. "They flooded its infrastructure with 'thousands and thousands' of DHCP requests," he noted, necessitating immediate mitigative action from Viasat.
"They flooded its infrastructure with 'thousands and thousands' of DHCP requests,"
Reflecting on these experiences, Colaluca emphasized a critical takeaway: “Incident response is the most neglected muscle group.” He underscored the importance of proactive preparedness and a robust incident response strategy, which they implemented by enlisting Mandiant, their third-party incident response and forensics provider.
Looking Ahead
This harrowing experience underscores the pressing necessity for organizations to strengthen their cybersecurity posture, particularly in light of increasing cyber warfare tactics. The lessons drawn from Viasat's incident serve as a cautionary reminder for all in the industry, affirming that ongoing vigilance and adaptive strategies are imperative to defend against similar threats in the future.
