Why the Viasat hack still echoes
By Andrea Valentino|November 2022
Satcom companies, perhaps for good reason, rely on a complex web of suppliers and subcontractors to deliver us our internet connections and television programming. That can make it hard to enforce sound cyber practices across an entire network. And when an attack does occur, it can take months or longer to determine how it unfolded. Can anything be done? Andrea Valentino went looking for answers.
In the early hours of Feb. 24, Ukraine faced two assaults. One, all tanks and airstrikes, was plain to see. The other came at about 6 a.m. local time, when internet modems began to go offline in homes and military sites across Ukraine and at locations in Europe. Depending on whose account you believe, wiper malware or a flood of malicious traffic or some combination of those rained down on thousands of satellite dishes affixed to civilian homes and military installations. The signals came from a van-sized geostationary satellite positioned high over the western coast of Africa at the equator. In normal times, the broadband KA-SAT, operated by California-based Viasat, was a godsend for rural customers lacking the option of connecting to the internet via fiber optics. Now, customers were waking up to crashing modems and a loss of connectivity during a national emergency.
While the disruption proved to be relatively short-lived — according to Viasat, most connectivity was restored in “several days” by shipping out some 30,000 fresh modems — nine months on, it continues to reverberate in the satcom industry. For one, there remains no definitive, agreed-upon and publicly shared account of exactly how the attack unfolded. But enough is known to worry that the attacker exploited a vulnerability tied to the business practices of the satcom industry, practices so deeply rooted that the vulnerability could prove difficult, though perhaps not impossible, to fix.
Much of what is known, or theorized, about the attack comes from three sources: a “cyber attack overview” released by Viasat in March; an open-source intelligence study released in October by the Aerospace ADVERSARY Lab at Johns Hopkins University in Baltimore; and forensics performed independently on one of the attacked modems by Ruben Santamarta, a cybersecurity researcher based in Spain.
All agree that the attacker entered through a virtual private network, VPN, appliance, which is software that’s supposed to only allow authorized users to enter a company’s internal network remotely from the wilds of the internet. From there, the attacker “moved laterally” into one of Viasat’s crown jewels, “the trusted management segment of the KA-SAT network,” as Viasat’s overview document puts it. Ultimately, the attacker sent commands to the modems via the satellite’s spot beams. In what might have been an unintended spillover effect, “one fifth” of the wind turbines operated by Enercon in Germany were rendered “inaccessible” for command and control, according to the Johns Hopkins paper.
That’s where the accounts diverge. The overview document describes a denial-of-service attack in which “malicious traffic” was detected “emanating from several” modems. Personnel from Skylogic, the Italy-based subcontractor in charge of key parts of the KA-SAT network, “worked to force the malicious modems offline.” Nevertheless, the “traffic-based attack” kept “legitimate modems” from entering the network or staying online.
Gregory Falco, one of the authors of the Johns Hopkins paper, says there is “absolutely no empirical evidence” for that account. Citing forensics by Santamarta, he says that “wiper malware” was sent to the modems and that they were incapable of emanating anything once that was done.
What is the evidence for that? Santamarta tells us by email that he received two Viasat SurfBeam2 modems that he will only say came from a “remote place in a Nordic country.” One was in working condition, and the other was one of those attacked on Feb. 24. He took the attacked modem apart and downloaded its main, or flash, memory.
“The attacked modem was effectively bricked due to the wiper malware that was deployed during the attack. As a result, its main memory only contained ‘garbage,’” he wrote. “I repeated the same process for the working modem, but this time I analyzed the software that runs into it, by using reverse engineering. This allowed me to understand the attack vectors and vulnerabilities that could have been used by the attackers to remotely install the wiper malware in the modems.”
Santamarta speculates that the malicious traffic described in the Viasat overview was “intended just to divert the attention of the Skylogic engineers from the main attack, which was focused on remotely installing the wiper malware into the modems.”
A security conundrum
Details aside, cybersecurity analysts see plenty of lessons. The VPN appliance implicated in the attack was controlled not by Viasat, but by Skylogic, the Eutelsat subsidiary based in Italy, Santamarta and others say. Eutelsat said the compromised VPN was in Turin, Italy, which is where Skylogic’s headquarters are located. Viasat, for its part, did not answer our questions about the VPN.
Such outsourcing lies at the heart of the broader vulnerability that cybersecurity analysts see. For sure, such arrangements are not unique to Viasat. Other satcom operators have similarly complex webs of partnerships and contractors, and those webs are dynamic, changing with the addition of a new contractor or the sale or merger of a contractor. Viasat, in fact, acquired KA-SAT in 2020 — as well as an associated wholesale broadband business — from Eutelsat, a French company. As part of this agreement, Skylogic, a Eutelsat subsidiary, was to continue operating parts of the KA-SAT network temporarily. Such additions and shifts add to the challenge of promoting a unified cybersecurity policy. In fact, Falco and others wonder if the attacker deliberately chose Viasat because of the ownership transition.
“I think this is a wakeup call for every industry but is clearly a wakeup call for the satellite industry because of the numbers of vendors out there,” says James Turgal, a former chief information officer at the FBI and now a vice president at the Optiv cybersecurity firm in Colorado.
In reality, however, a company like Viasat might always need a company like Skylogic, with specific skillsets, to serve its customers. Reflecting this, satcom is a strikingly decentralized industry. Without the strict security requirements of U.S. government satellite networks, and constrained by staffing and financial pressures, most companies instead focus on specific parts of the process and outsource the rest. From building satellites to maintaining ground-based satellite dishes and installing modem boxes in businesses and homes, firms like Viasat rely on a “very diffuse ecosystem” of providers and vendors, as Falco puts it.
This reality is reflected in the statistics. According to one July survey, there are 44 companies specializing in satcom antenna systems alone. It’s the same story for satellite operators. Canada’s Telesat company, for example, in February announced it was working with an external partner to boost services in Africa. Viasat, judging by its public announcements, works in a similar fashion. Since 2021, it has reached deals with a TV operator in Brazil and a telecommunications company in Australia. Those are just two examples.
A dual-use network like KA-SAT, which serves not only civilians but also the Ukrainian military, becomes a tempting target. But if arrangements of varying complexity are inevitable, can anything be done? The experts we interviewed have some ideas.
As matters stand today, a satcom company will typically specify the security arrangements a third party is expected to make. But Falco suggests that these agreements are not always taken seriously by any party. “Sometimes they’re doing it, sometimes they’re not,” he says, adding that it can be hard for firms like Viasat to know exactly what their external partners are up to.
Turgal, the former FBI official, argues that the answer to these troubles, at least in part, is to strengthen those contracts. A “recovering attorney” himself, he says that giving partners detailed and specific security checklists — and then being willing to follow them up with legal action — can be a good way of forcing compliance. What if there’s a breach like this one again, despite a commitment to follow a checklist? “That’s when Viasat lawyers are going back to Skylogic and the lawsuits ensue.”
Not that stopping a repeat of the Viasat hack would merely involve lawyering up. After compromising the VPN, after all, Viasat’s report says the attacker “moved laterally” across the network to gain access to the modems through KA-SAT. To cybersecurity experts, “moved laterally” is an especially telling choice of words, implying that the attacker easily moved about inside the network. Santamarta says that ease speaks to another possible flaw in Viasat’s cybersecurity setup: Ideally, he says, you shouldn’t be able to compromise an entire network from a single point of access.
Those in the cybersecurity field borrow an analogy from the physical world to show how things should work. If a VPN acts like an outer wall protecting a company’s network from intruders, the network should have inner walls or “defense in depth,” in cyber parlance. These secondary barriers, for instance in the form of passwords, are designed to prevent an attacker who jumps that first fence from wandering through a network until reaching what AIAA’s Steve Lee describes as the “holy grail” — in Viasat’s case, the customer modems.
Viasat, in response to our questions, noted that it has “different network segments and partitions designed to help manage traffic and protect different user groups for security reasons.”
If Viasat really did fall prey to wobbly internal defenses, it wouldn’t be the first time a company has suffered a similar fate. In 2013, criminals stole the credit or debit card information of around 40 million Target customers. Investigators determined that the hackers compromised a private area of the retailer’s network by first hacking a heating and refrigeration contractor.
Defense in depth requires the related concept of “zero trust” in which everyone is treated as a prospective attacker. Those inside a network are viewed no less suspiciously than those outside. How could this approach have helped Viasat in February? Falco puts it bluntly: Once the attacker entered the network via the Skylogic VPN, “it wouldn’t have mattered.” Zero trust would have required Viasat to ensure that every command sent, even ones coming from inside the network, were genuine before letting them go ahead.
In a world in which all your colleagues are treated as potential enemies, departments are encouraged to promote a “need to know” mentality in the vein of government agencies. Lee of AIAA borrows the Target example, arguing that “the person who has access to the air conditioning system shouldn’t also have access to customer credit card numbers.” Swap “credit card numbers” for “satellite modems,” and you begin to see how these principles could usefully be applied to Viasat.
Take things in-house?
In theory, zero trust could revolutionize cyber protection. Certainly, that’s reflected in the numbers, with a June report by MarketsandMarkets claiming that the global zero trust security market could reach $60.7 billion by 2027, up from just $27.4 billion this year. Satellite companies seem to be following this trend too. In late March, barely a month after the Viasat attack, Lockheed Martin Space said it was promoting zero-trust principles.
All the same, actually putting zero trust into practice across satcom would be far from simple. Fundamentally, this can again be understood in terms of the sector’s complexity. Blocking colleagues or vendors from sensitive parts of your network sounds great in theory. But in satcom, an industry built on speed, too many checks risk being counterproductive.
“The more security controls you add, the less accessibility is associated with it,” says Melody Champlin of IronNet Cybersecurity in Washington, D.C. That could mean that staff struggle to keep connectivity up, especially if they constantly have to contend with extra passwords and firewalls.
One alternative could be to take more services in-house — something that’s actually been done before. Being owned by a billionaire, SpaceX can operate much more freely of partners and franchisees. And though it lacks an Elon Musk, Viasat may be moving in a similar direction. Even before the Skylogic debacle, the company planned to take over the Italian firm’s responsibilities later this year. That’s shadowed by other plans, notably a $7.3 billion deal, approved by shareholders in June, to acquire British satcom giant Inmarsat.
But here, too, some experts caution that the industry’s sophistication makes genuine vertical integration tough. Without farming out parts of the process, predicts Falco, satellite companies will struggle to drive down costs and grow.
Whatever the solution, time is of the essence. Groups, including the Cyber Peace Institute, have cataloged dozens of other cyberattacks on Ukrainian targets over recent months. Given the importance of satellite communications, warns Santamarta, attackers are bound to try again. Ideally, if another penetration does come to Viasat or another company, zero trust and defense in depth mean that the attacker won’t get far.
Editor-in-chief Ben Iannotta contributed to this report.
“I think this is a wakeup call for every industry but is clearly a wakeup call for the satellite industry because of the numbers of vendors out there.”James Turgal, Optiv