US telecom company likely targeted by Russian hackers shares details of February 24 attack

Written by AJ Vicens

The US telecommunications company targeted as the Russian military attacked Ukraine on February 24 said on Wednesday that a misconfigured virtual private network allowed hackers to gain the access needed to disable key modems – an attempt to cripple Ukrainian government communications in a “deliberate and cyberattack.

Viasat, based in Southern California, said in a statement posted on its website that the misconfigured VPN, operated by a subsidiary of a partner company, allowed hackers to execute “legitimate and targeted management commands on a large number of residential modems simultaneously”. The statement adds that these “destructive commands overwritten key data in the modems’ flash memory, rendering the modems unable to access the network, but not permanently unusable.”

The disruption to services was relatively limited, the company said, and did not affect government users of its KA-SAT satellite service or other Viasat networks around the world. The company did not specify the number of affected customers, but said it has shipped “tens of thousands of replacement modems” to distributors to help customers get back online.

The company’s statement shows that “several initial assumptions about the attack were wrong”, after Thomas Rid, founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. Rid tweeted on Wednesday that the attack was “much less sophisticated than expected and required less preparation than expected (no supply chain compromises, no firmware changes, no irreparable damage).”

The hack is perhaps the most serious cyberattack to emerge following Russia’s attack on Ukraine. Thousands of internet and communications customers in Ukraine and beyond were taken offline, and the attack caused “a huge loss of communications at the very beginning of the war”, senior official Victor Zhora told reporters. of the Ukrainian government’s cybersecurity, on March 15.

Government and private networks there have suffered about half a dozen wiper attacks since the invasion began, as well as a series of ongoing distributed denial-of-service attacks, which flood networks or bogus traffic targeted websites to make them inaccessible to legitimate users. . Viasat suffered a simultaneous denial of service attack to destructive commands that affected modems, the company said in its statement.

“Destructive commands overwritten key data in the modems’ flash memory, rendering the modems unable to access the network, but not permanently unusable.”

Viasat statement released March 30, 2022

US intelligence believes Russian hackers were behind the attack on Viasat, The Washington Post reported on March 24, confirming the informal assessment of Ukrainian government cyber officials. “I don’t need any further evidence that Russia was targeting Viasat, as well as other companies,” Zhora told reporters on March 15. “We understand that they are focusing on satellite communications, they are focusing on ISPs, they are focusing on mobile operators” in an attempt to cut off Ukrainian communications.

The company did not identify the attackers, but told Reuters on Wednesday that the attackers were behind “repeated attempts” to circumvent the defenses and mitigations the company put in place following the initial attack. .

Russian-aligned hackers relentlessly targeted Ukraine with attacks and disruptions in the weeks leading up to the Feb. 24 invasion and since, according to independent researchers and Ukrainian officials. An attack involving destructive malware poorly disguised as ransomware hit several organizations in Ukraine on January 13, the start of a series of wipeout attacks.

This attack, known in the information security community as WhisperGate, was possibly the work of a previously unknown Russian military intelligence hacking group, according to Adam Meyers, senior vice president. intelligence from cybersecurity firm CrowdStrike.

In scheduled testimony before the House Homeland Security Committee on Wednesday, Meyers said a group the company calls “Ember Bear” has been targeting government and military organizations in Eastern Europe since early 2021 could be behind the WhisperGate attack. The group shares tactics, techniques and procedures with other hacking units in GRU, Russia’s military intelligence division, Meyers said. Wednesday’s hearing has been postponed.

Sean B. Jackson