A targeted denial-of-service attack on Viasat (NASDAQ: VSAT) exploited a misconfigured virtual private network (VPN) appliance, allowing the attacker to render modems across Europe useless.
Viasat issued the results of its investigation into the attack on its KA-SAT network last week in a blog post.
The attack, which began on Feb. 24 at 6 a.m. local time in Ukraine allowed the actors “to gain remote access to the trusted management segment of the KA-SAT network,” according to Viasat. “The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.
“Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable,” the post noted.
The KA-SAT modems that were compromised are part of a network that “is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl (“EBI”), the wholesale broadband services business created as part of Viasat’s former partnering arrangement with Eutelsat,” according to Viasat.
Best practices
The space industry tends to focus its security efforts on the space portion of the network, Brad Grady, president and chief operating officer of space research specialist Northern Sky Research, told Connectivity Business News. “It didn’t seem like the satellite got exploited; it was on the ground side, but the ground side can still result in a denial of service.
“So it will be interesting to see … how much of this becomes unclassified so the rest of the industry can actually understand what really happened,” Brady added.
The Satellite Industry Association on March 18 updated its cybersecurity best practices. “Given the reliance of our economy and national security on secure communications, evolving attacks by criminals, terrorists, and nation-states properly concern national leaders and the private sector,” the association said in a statement.
State actors
San-Jose based cybersecurity company Trellix, in partnership with think tank Center for Strategic and International Studies, on March 28 published a report finding that organizations are outmatched by nation-state cyber threat actors. Among the 800 IT decision-makers surveyed worldwide, 86% said they believe they have been targeted by a cyberattack conducted by a group acting on behalf of a nation-state.
Among those surveyed, 59% in the media and telecoms industries said they believe Russia to be the most likely actor behind at least one past cyber incident.
“To protect against the latest attacks in real time, all organizations benefit from a forward-leaning approach to intelligence sharing, which could look like sharing active campaign details, providing transparency into the types of tactics and targets nation-state actors are implementing and/or declassifying data,” Christiaan Beek, lead scientist and principal engineer at Trellix told Connectivity Business News.