News

On February 24, 2022, Viasat, a KA-band satellite provider, fell victim to a wiper attack just before Russia’s invasion of Ukraine. Tens of thousands of Viasat’s government and commercial broadband customers’ modems were disabled in the attack. Viasat representatives shared the details of the attack and the lessons they learned at this year’s Black Hat and DEF CON conferences.

Mark Colaluca, VP and CISO at Viasat Corporate, along with Kristina Walker, former chief of defense industrial-based cybersecurity at the NSA’s Cybersecurity Collaboration Center, discussed the events leading up to the modems being rendered inoperable, the attack itself, and the aftermath.

The attack began with several unsuccessful attempts to log into a Viasat appliance using valid credentials. However, an hour later, the attackers successfully gained unauthorized access through a VPN, landing in the core node. Initially, there were no immediate consequences. Two hours later, the attackers infiltrated the management server with a different set of credentials.

Over the following three to four hours, the attackers went to a network operations server responsible for modem diagnostics, health, and online status. They performed reconnaissance work, specifically targeting certain sets of modems in specific regions for specific customers and functions. The attackers gathered information on how many modems were online.

Around midnight, the attackers accessed Viasat’s FTP server, which is responsible for delivering software updates to modems. They introduced a wiper binary and scripts to assess and report the network’s status after executing the scripts.

It appears that the attack was highly targeted, focusing on specific modems for specific customers and regions. Viasat has since worked on enhancing its incident response capabilities and strengthening its security measures to prevent future cyber attacks.

The post Viasat: Lessons Learned from the Cyber Attack appeared first on satProviders.