16-05-2022 | By Robin Mitchell
A large cyberattack that affected Viasat moments before the Russian invasion of Ukraine has been determined to have been orchestrated by Russia. What exactly did the attack do, how did the malware damage modems, and was there any measurable impact on Ukraine forces?
What exactly did the attack do?
Just one hour before Russia launched its invasion of Ukraine in February 2022, Viasat experienced a large-scale attack on its high-speed satellite internet service. Until recently, the culprits of the attack could not be stated for certain, but recent reports from various government agencies, including the EU, US, and the UK, have confirmed that Russia was indeed responsible. It is believed that the service was attacked as Viasat provides internet services to both commercial and military services. Thus, attacking Viasat would give Russia an edge in their surprise invasion.
Even though military forces use Viasat, the attack also interfered with non-military users. One example that has stood out, in particular, is the loss of 5,800 wind turbines in central Europe with a combined capacity of 11GW. Additionally, it has been estimated that up to 30,000 modem terminals have been damaged permanently, requiring replacement.
So far, Viasat has been able to replace around 11,000 customer modems to help bring systems back online while patching potential security flaws that allowed the hackers to gain entry into the network and cause damage to modems. According to Viasat, the attack was directed at KA-SAT networks which are not directly managed by Viasat and had the attack targeted the main network, it would have been stopped.
How did malware damage modems?
One fact that seems to be glanced over by multiple news reports is how the attackers were able to permanently damage modems. It makes sense for software systems to be left compromised or inoperable, but it is unusual for modems to stop functioning.
To damage the modems, the hackers used a piece of malware called AcidRain. Once installed on a device, this malware proceeds to wipe non-standard files in the filesystem recursively (i.e., proceeds to enter every folder, wipe the contents, and move up). Additionally, the malware also targets known storage device files, making recovery virtually impossible.
The malware itself was easily spread to all modems and routers currently connected via legitimate management commands that would otherwise provide firmware updates. The malware was also coded in a way that made it as generic as possible by not targeting anyone specific platform. While the devices are effectively bricked after being affected, some reports suggest that a factory reset can fix the issue, but other reports have stated that tens of thousands of modems are now unusable. This may be because the onboard flash that has been erased may not be easy to reprogram (i.e., lack of programming port, access pins, or one-time writing).
Was there any effect on the Ukrainian military?
Trying to determine the effect of the attack on the Ukrainian military is hard to pin down for several reasons. Firstly, it is unlikely for a military to outline in detail the effects of an attack as this can give the opposition a better understanding of their attack. Secondly, information from military forces is generally limited during times of war as the military is more concerned with active campaigns than writing press releases. Another reason why assessing the size of the disruption on the Ukrainian military is challenging is that large portions of the Ukrainian military were hit (including command centres) in the first few hours of the initial invasion. This has seen portions of the military somewhat fragmented, making communications difficult.
Finally, the Ukrainian military has been massively helped by UK and US intelligence, providing target data, satellite imagery, and confidential information from the Russian side, which could be far more valuable than the satellite communications network. The Ukraine military may have even been given access to US satellites for communication (something that has already happened with Elon Musk’s Starlink).
Ukraine has been under constant cyberattacks for the past decade from Russia, and in this time, they have been able to build up strong defences. We cannot tell for sure the Viasat attack's impact on Ukraine, but what we can be sure of is that Ukraine continues to resist and push back Russian invaders regardless.