whodunnit —

A mysterious satellite hack has victims far beyond Ukraine

The biggest hack since Russia’s war began knocked thousands of people offline.

A mysterious satellite hack has victims far beyond Ukraine
bjdlzx | Getty Images

More than 22,000 miles above Earth, the KA-SAT is locked in orbit. Traveling at 7,000 miles per hour, in sync with the planet’s rotation, the satellite beams high-speed Internet down to people across Europe. Since 2011, it has helped homeowners, businesses, and militaries get online. However, as Russian troops moved into Ukraine during the early hours of February 24, satellite Internet connections were disrupted. A mysterious cyberattack against the satellite’s ground infrastructure—not the satellite itself—plunged tens of thousands of people into Internet darkness.

Among them were parts of Ukraine’s defenses. “It was a really huge loss in communications in the very beginning of war,” Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, the State Services for Special Communication and Information Protection (SSSCIP), reportedly said two weeks later. He did not provide any more details, and SSSCIP did not respond to WIRED’s request for comment. But the attack against the satellite Internet system, owned by US company Viasat since last year, had even wider ramifications. People using satellite Internet connections were knocked offline all across Europe, from Poland to France.

Almost a month after the attack, the disruptions continue. Thousands still remain offline in Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine’s borders. But questions about the details of the attack, its purpose, and who carried it out remain—although experts have their suspicions.

Satellite Internet connections are often used in areas with low cable coverage, and they are used by everyday citizens as well as official organizations. The setup is different from your typical home or office Wi-Fi network, which mostly rely on wired broadband connections. “Satellite communications are composed of three main components,” says Laetitia Cesari Zarkan, a consultant at the United Nations Institute for Disarmament Research and a doctoral student at the University of Luxembourg. First, there is the spacecraft that’s in orbit, which is used to send “spot beams” back to Earth; these beams provide Internet coverage to specific areas on the ground. These beams are then picked up by satellite dishes on the ground. They can be attached to the sides of buildings, or on planes to power in-flight Wi-Fi. And finally there are ground networks, which communicate with and can configure people’s systems. “The ground network is a collection of earth stations connected to the Internet by fiber-optic cables,” Zarkan says.

Aside from Zhora’s comment, the Ukrainian government has remained tight-lipped about the attack. However, satellite communications, also known as satcom, appear to be frequently used in the country. Ukraine has the world’s most transparent system for tracking government spending, and multiple government contracts show that the SSSCIP and police have purchased the technology. For instance, during Ukraine’s 2012 elections, more than 12,000 satellite Internet connection points were used to monitor voting, official documents spotted by European cybersecurity firm SEKOIA.IO show.

“To disrupt satellite communications, most people—myself included—would look at the signal in space, because it's exposed,” says Peter Lemme, an aviation specialist who also writes about satellite communications. “You can transmit signals toward the satellite that would effectively jam its ability to receive signals from legitimate modems.” Elon Musk has claimed that Starlink satellite systems he sent to Ukraine have faced jamming attacks.

However, the attack against Viasat may not have involved jamming. The attack against the network was a “deliberate, isolated, and external cyber event,” according to Viasat spokesperson Chris Phillips. The attack only impacted fixed broadband customers and didn’t cause disruption to airlines or Viasat’s US government clients, the company says, and no customer data was impacted. However, people’s modems have not been able to connect to the network, and they have been “rendered unusable.”

On Tuesday, Viasat chair Mark Dankberg told a satellite conference that the company purchased the KA-SAT in Europe last year, and its customer base is still being operated by a third party as part of the transition. “We believe for this particular event it was preventable, but we didn't have that capability in that case,” Dankberg said, confirming that thousands of modems were taken offline. “In most of the cases of the modems that went offline, they need to be replaced. They can be refurbished, so we're recycling modems,” Dankberg said.

“There is no evidence to date of any impairment to the KA-SAT satellite, core network infrastructure, or gateways due to this incident,” Phillips says in a statement. Instead Viasat says the cyberattack was the result of a misconfiguration in a “management section” of its network, as first reported by Reuters. The company declined to provide any more details on the technical nature of the incident, citing ongoing investigations. Viasat says it is now focusing on recovering from the partial outage.

Channel Ars Technica