Military officials and civilian security researchers have been warning us for years: Cyber-attacks are becoming a very real part of modern warfare. While not limited to military targets, cyber attacks can take everything from critical public infrastructure to commercial and industrial activities.
In early February 24, when the Russian invading forces began firing missiles at Ukrainian cities, another attack on the digital field was underway. Suddenly, as satellite terminals across Europe went offline, many attacks suffered permanent damage.
The details remain unclear, but researchers and military analysts have put together a picture of what happened that night. The Great Euro Sat Hack proved to be the latest example of how vulnerable our digital infrastructure could be during the war.
A network is only protected as its weakest point
The KA-SAT satellite, owned by the US company Vyasat, was launched in 2010. It is accused of providing broadband satellite internet across Europe, with some limited coverage extending to parts of the Middle East. Customers of the service include residential users across Europe and many industrial systems.
On February 24, when Russian forces launched their full-scale offensive in Ukraine, the KA-SAT system came under similar attack. At dawn, thousands of terminals suddenly went offline. Users from Greece, Poland, Italy, Hungary and Germany were all affected, not just in Ukraine.
Significantly, Germany’s 5,800 wind turbine attacks darkened their administration. When the satellite links went down, it was no longer possible to observe wind turbines through the SCADA system. Fortunately, the stability of the grid was not affected, according to operator ENERCON, as grid operators control wind energy input into the grid through other methods.
Preliminary reports speculated that a general distribution denial service (DDoS) could be responsible for the attack. This type of attack, where a flood of traffic is used to overwhelm a network or server, is simple and short-lived.
However, it quickly became clear that a more serious attack had taken place. The researchers analyzed the results and noted that many terminals were permanently taken offline and were no longer operational. Data gradually emerges from various sources, indicating that the satellite itself was not manipulated or damaged or physically attacked. Thus, the problem is probably placed in the ground segment of the KA-SAT network.
More than a month after the attack, Viasat issued a statement explaining the scale and nature of the attack. According to company reports, a consumer-oriented section of the KA-SAT network started the action at 03:02 AM UTC, denying the service attack propagated by users using SurfBeam 2 and Surfbeam2 + modems. These modems located in Ukraine were generating a lot of harmful traffic and preventing legitimate users from staying online. Viasat’s technical teams worked to block these malicious modems from the network, and more pops up as the team unloads them.
During this time modems were slowly dropping offline on these network partitions. This was accelerated at 4:15 AM, which saw a massive journey of modems connecting to KA-SAT networks across Europe, all on the same consumer network partition. Missing modems went well, no one tried to reconnect to the satellite network.
Later analysis revealed that a breach had occurred in the management system of the KA-SAT network, through a “incorrect configuration in the VPN appliance”. The attackers accessed the management network and used it to issue commands to the network’s residential modems, corrupting Flash memory and disabling them.
Later, security researcher Ruben Santamarta was able to get his hands on a damaged Surfbeam2 modem, as well as another clean device untouched by the attack. Flash memory dumping from both modems was revealed. Compared to the original of the compromised modem, the flash memory was heavily corrupted, leaving the modems inoperable. In some cases the damage was so complete that the affected modems would not even show the status light when turned on. 0,000 replacement modems were finally shipped to customers so that they could be returned online in the weeks following the attack.
Some questions remain about the attack. It is unknown at this time what he will do after leaving the post. The bricklaying of the modem after the initial DDOS attack also indicates a well-planned, multi-stage attack, the hack that was pre-planned. There are also incidental questions, such as why the German power infrastructure was affected by an attack limited to residential modems and a consumer-based network segment.
These specific issues are of interest to security researchers and those involved in the company in question. More broadly, though, it shows that cyber attacks can and will be used against actual infrastructure in times of war. Furthermore, the effects will not necessarily be limited to the target area or the military. It is very easy for such attacks to have a wide downstream impact when our networks are expanding national borders.
Overall, this is a cool reminder of the inherent weaknesses in many of our infrastructure. This time it was satellite internet, other times it could be water supply or health system. In all of these cases the stakes are high, so there are good reasons to invest to increase security wherever possible.