Military officials and civilian security researchers have been warning us for years: cyberattacks are becoming a very real part of modern warfare. Far from being limited to military targets, cyberattacks can take out everything from vital public infrastructure to commercial and industrial operations, too.
In the early hours of February 24, as the Russian invasion force began raining missiles on Ukrainian cities, another attack was in progress in the digital realm. Suddenly, satellite terminals across Europe were going offline, with many suffering permanent damage from the attack.
Details remain hazy, but researchers and military analysts have pieced together a picture of what happened that night. The Great Euro Sat Hack prove to be the latest example of how vulnerable our digital infrastructure can be in wartime.
A Network Is Only As Secure As Its Weakest Point
The KA-SAT satellite operated owned by US company Viasat was launched in 2010. It’s charged with providing broadband satellite internet across Europe, with some limited coverage also extending to parts of the Middle East. Customers of the service include residential users across Europe, and many industrial systems as well.
On February 24, when Russian forces began their full-scale invasion of Ukraine, the KA-SAT system similarly came under attack. Thousands of terminals suddenly went offline in the early hours of the morning. Far from being limited to just Ukraine, users in Greece, Poland, Italy, Hungary, and Germany were all affected.
Notably, 5,800 wind turbines in Germany had their administration systems go dark as the attack raged. When the satellite links went down, monitoring the wind turbines via SCADA systems was no longer possible. Thankfully, grid stability was not affected according to operator ENERCON, as grid operators maintained control over the wind power input to the grid via other methods.
Early reports speculated that a simple distributed denial of service (DDoS) attack may have been to blame. This type of attack, where floods of traffic are used to overwhelm a network or server, is simplistic and short-lived.
However, it quickly became apparent that a much more serious attack had taken place. Researchers analyzing the fallout noted that many terminals had been permanently taken offline, and were no longer operable. Information slowly trickled out from various sources, indicating that the satellite itself had not been tampered with, nor damaged or physically attacked in any way. Thus, the issue likely laid in the ground segment of the KA-SAT network.
Just over a month after the attack, Viasat released a statement explaining the scale and nature of the attack. According to the company’s report, action began at 03:02 AM UTC with a denial of service attack propagating from users of using SurfBeam 2 and Surfbeam2+ modems on a consumer-orientated section of the KA-SAT network. These modems located in Ukraine were generating large volumes of malicious traffic and were preventing legitimate users from remaining online. Viasat’s technical teams worked to block these malicious modems from the network, with more popping up as the team took them down.
During this period, modems were gradually dropping offline on this network partition. This accelerated at 4:15 AM, which saw a mass exodus of modems connecting to the KA-SAT network across Europe, all on the same consumer network partition. The missing modems were gone for good, with none attempting reconnection to the satellite network.
Later analysis showed that a breach had occurred in the management systems of the KA-SAT network, via a “misconfiguration in a VPN appliance.” The attackers accessed the management network and used it to issue commands to residential modems on the network, corrupting the flash memory onboard and rendering them inoperable.
In the aftermath, security researcher Ruben Santamarta was able to lay his hands on an affected Surfbeam2 modem, as well as another clean device untouched by the attack. Dumping the flash memory from both modems was revealing. The compromised modem had heavily corrupted flash memory compared to the original, which left the modems in a non-working state. The damage was so complete in some cases that affected modems would not even display status lights when turned on. 0,000 replacement modems were ultimately shipped to customers to get them back online in the weeks following the attack.
There are still some questions to be answered regarding the attack. It’s unclear precisely how attackers entered the management segment of the KA-SAT network, and the company is reticent to publicise what happened. The early DDOS attack followed by the bricking of modems also hints at a well-planned, multi-stage attack, suggesting the hack was planned well in advance. There’s also ancilliary questions, such as why German electricity infrastructure was affected by an attack supposedly limited to residential modems and a consumer-oriented network segment.
Those specifics are of interest to security researchers and those involved at the companies in question. More broadly, though, it shows that cyberattacks can and will be used against real infrastructure in times of war. Furthermore, the effects won’t necessarily be limited to targeted areas or the military. It’s all too easy for such an attack to have wide-ranging effects downstream when our networks span national borders.
Overall, it’s a chilling reminder of the vulnerabilities inherent in much of our infrastructure. This time it was satellite internet, other times it might be the water supply or the health system. The stakes are high in all of these cases, so there’s plenty of reason to invest in shoring up security wherever possible.