Exclusive-Hackers who crippled Viasat modems in Ukraine are still active- company official

By Christopher Bing and Raphael Satter

WASHINGTON (Reuters) – Hackers who crippled tens of thousands of satellite modems in Ukraine and across Europe are still trying to hobble U.S. telecommunications company Viasat as it works to bring its users back online, a company official told Reuters.

Viasat Inc has been working to recover after a cyberattack remotely disabled satellite modems just as Russian forces pushed into Ukraine in the early hours of Feb. 24. The official said a parallel attack was launched at almost exactly the same time and used “high volumes of focused, malicious traffic” to try and overwhelm Viasat’s network and was still ongoing.

“We’re still witnessing some deliberate attempts,” the official said Tuesday. He said that Viasat was so far resisting the hackers with defensive measures but that “we’ve been seeing repeated attempts by this attacker to alter that pattern to test those new mitigations and defenses.”

The official – who spoke on the condition that he not be identified – briefed Reuters ahead of a report being published early Wednesday which outlines how the hackers systematically sabotaged satellite modems across Europe – and in Ukraine in particular – on the morning of Russia’s invasion.

The exact effect of the outage on Ukraine still is not clear, but the disruptive hack triggered “a really huge loss in communications” at the outset of the conflict, Ukrainian cybersecurity official Victor Zhora told reporters during a briefing on March 15.

Few other details have been released since. On Friday, the Washington Post said https://www.washingtonpost.com/national-security/2022/03/24/russian-military-behind-hack-satellite-communication-devices-ukraine-wars-outset-us-officials-say that U.S. analysts believed that the hackers were working for Russia’s military intelligence agency.

The report did not identify the hackers and the Viasat official said the company would not be commenting on who might be responsible.

The Russian Embassy in Washington has not responded to repeated attempts to seek comment about the hack.

Viasat’s report said that the intruders took advantage of a misconfigured virtual private networking device to gain remote access to the management network for the company’s KA-SAT satellite, which is run by an Italy-based company called Skylogic and serves customers across Europe.

Skylogic did not immediately return a message late Tuesday.

The report said that it was from inside the network that the hackers sent rogue commands to tens of thousands of modems all at once, overwriting key chunks of data in the device’s memory and rendering them inoperable.

The report said the disruptive hack began about 6:15 a.m. Ukraine time on Feb. 24 and would eventually cripple a majority of Viasat’s modems in Ukraine. The parallel attack using malicious traffic began about an hour earlier.

The company declined to provide a global figure of stricken devices but the report said that nearly 30,000 fresh modems had already been shipped to distributors to bring customers back online.

(Reporting by Christopher Bing and Raphael Satter; editing by Chris Sanders and Bernard Orr)