WP: Russian military behind hack of satellite communication devices
Not yet official, but the U.S. intelligence community seems to continue its rapid release of intelligence. I think everyone was expecting it, especially since Viasat executives declined to say it earlier this week at the SATCOM 2022 conference. https://www.washingtonpost.com/national-security/2022/03/24/russian-military... By Ellen Nakashima Today at 10:25 p.m. EDT U.S. intelligence analysts have concluded that Russian military spy hackers were behind a cyberattack on a satellite broadband service that disrupted Ukraine’s military communications at the start of the war last month, according to U.S. officials familiar with the matter. The U.S. government, however, has not announced its conclusion publicly. [...] The modems were part of Viasat’s European satellite network, KA-SAT. The company uses distributors in Europe to sell Internet service, which relies on modems, to customers. The company is shipping new modems to the distributors so they can get them to affected customers, the official said.
Point to multipoint / TDMA contended access VSAT hub and CPE networks are well known for not having much security. In many setups the remote CPE modems, which are built from a fairly cheap BOM of hardware, implicitly trust the hub linecard. Have seen this with 3 different vendors' platforms. I'd be willing to bet that this was either a malicious firmware push that was applied to the CPEs without proper authentication methods being in place, such as CPEs being able to verify a crypto key signed firmware signature, or a configuration file pushed to the CPEs that knocked them off the network with incorrect RF/channel/modulation/timing parameters. Note that the Viasat KA-SAT terminals are at the very lower end of the market for contended access (64:1 or more) consumer/small business grade geostationary VSAT. Which is why it sort of makes sense that a lot of them were used for low data rate SCADA for wind farms and such. On Thu, 24 Mar 2022 at 20:48, Sean Donelan <sean@donelan.com> wrote:
Not yet official, but the U.S. intelligence community seems to continue its rapid release of intelligence. I think everyone was expecting it, especially since Viasat executives declined to say it earlier this week at the SATCOM 2022 conference.
https://www.washingtonpost.com/national-security/2022/03/24/russian-military... By Ellen Nakashima Today at 10:25 p.m. EDT
U.S. intelligence analysts have concluded that Russian military spy hackers were behind a cyberattack on a satellite broadband service that disrupted Ukraine’s military communications at the start of the war last month, according to U.S. officials familiar with the matter.
The U.S. government, however, has not announced its conclusion publicly.
[...]
The modems were part of Viasat’s European satellite network, KA-SAT. The company uses distributors in Europe to sell Internet service, which relies on modems, to customers. The company is shipping new modems to the distributors so they can get them to affected customers, the official said.
On Fri, 25 Mar 2022, Eric Kuhnke wrote:
I'd be willing to bet that this was either a malicious firmware push that was applied to the CPEs without proper authentication methods being in place, such as CPEs being able to verify a crypto key signed firmware signature, or a configuration file pushed to the CPEs that knocked them off the network with incorrect RF/channel/modulation/timing parameters.
https://www.airforcemag.com/hackers-attacked-satellite-terminals-through-man... “The terminal management network … that manages the KA-SAT network, and manages other Eutelsat networks—that network was penetrated,” said one Viasat official. “And from there, the hackers were able to launch an attack against the terminals using the normal function of the management plane of the network.” [...] The attack compromised the management plane—the part of the network that controls customer terminals to ensure they can communicate with the satellite, the Viasat officials said. The hackers had abused that functionality to change the software configuration on the terminals and render them inoperable. But, contrary to some early reports, the attack did not brick the terminals. “It did not make them permanently inoperable,” said the second official. “Every single terminal that was knocked off the air can be brought back with a software update.” Although the network is generally capable of updating terminals over the air, by downloading new software via the satellite link, many of the terminals attacked cannot be brought back online by the customer, and so can’t get the required update over the air. Those will have to be updated by tech support staff, the first official said. [...] Despite this, Viasat was now bringing “thousands of terminals back online per day, and will have the network completely restocked and back to full capacity within a few weeks,” the first official said. [...] Editor’s Note: This story was updated at 3:15 p.m. on March 25 to correct some technical issues with how the KA-SAT network and other assets were described
participants (2)
-
Eric Kuhnke
-
Sean Donelan