A denial-of-service (DoS) attack on a leading satellite comms provider on the day of Russia’s invasion hit tens of thousands of customers in Ukraine and elsewhere, the firm has revealed.
Viasat said the “multifaceted and deliberate” cyber-attack took the majority of its thousands of Ukrainian customers offline, although the network was “largely stabilized within hours” and fully stabilized within several days.
It began when some hijacked modems and other customer equipment inside Ukraine began firing high volumes of targeted malicious traffic, making it difficult for legitimate modems to remain online.
Although defenders worked to force the malicious modems offline, others joined the network to continue the attack over the next several hours, Viasat explained.
“Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network,” the provider said.
“The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
Viasat said the affected modems could be fully restored via a factory reset and that it has no evidence that firmware was compromised. However, the firm has been forced to reissue nearly 30,000 modems to distributors to bring customers back online.
There’s also no evidence to suggest that the firm’s KA-SAT satellite or supporting ground infrastructure was compromised in the attack.