For many of us, February 24, 2022, was just a regular day, while for Ukraine it was the day when everything changed. Did Russia become more sophisticated at taking over countries? Who is next?
The cyberattacks that started one hour before the actual invasion, resulted in a partial interruption of KA-SAT consumer-oriented satellite network, which is owned by the US-based satellite telecommunications company ViaSat. (Aerospace America, 2022)
ViaSat’s dual-use network, which served both civilians, US government and army, NATO, the UK marine and the Ukrainian army, made it a tempting target. (ViaSat, 2022) However, despite Ukraine’s military being the main target, as it was perceived, private and commercial internet users were affected as well, in addition to wind farms in central Europe. (Cyber Peace Institute, 2022) The cyberattacks’ purpose was to disrupt communication networks, hinder Ukraine’s ability to respond to the military attack, and create confusion. (Canadian Center for Cybersecurity)
An hour before the invasion, malicious traffic was detected emerging from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine. The modems were allegedly serviced by a Eutelsat subsidiary, Skylogic, which was in charge for managing a partition of the KA-SAT overall network, specifically BAP1 and BAP2. Ruben Santamarta’s research allegedly revealed that at the time of the attack, Skylogic counted on Fortinet for VPN services, which suffered a cyberattack from the Russian group “Groove” in 2021, leading to the leak of almost half a million credentials of VPN appliances. Despite Fortinet developing and releasing a patch to the uncovered vulnerability, it is presumed that Skylogic had not deployed it at the time of the attack. (Mura, Alessandro, Universita di Bologna)
Russia’s attack on Ukraine, before the full-scale invasion on February 24, 2022, allegedly involved two key components, which significantly impaired the network functionality: (Cyberscoop, 2023)
- The deployment of AcidRain malware against various sectors. Although designed to erase data from modems and routers connected to KA-SAT’s network, it did not directly harm the satellite or other physical infrastructures. The wiper reportedly specifically targeted the MIPS microprocessors of the end users’ modems, formatted as an “Executable and Linkable Format”(ELF) file, a common standard format file used in Linux and Unix-based systems, according to SentinelLab; and
- A sophisticated DDoS (Denial-of-Service) attack, developed to overwhelm the network with a large volume of requests, which was possible by having “highly technical knowledge of ViaSat’s network and protocols” in addition to targeting terminals to not let them back on the network. Kaspersky defines it as a “type of attack that takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website. In this case, the attack was aimed at impairing the functioning of the “Dynamic Host Configuration Protocol” (DHCP) server.
Although not yet classified as a war crime under international law, a DDoS attack is considered a serious cybercrime with significant legal and practical consequences given its use as a tactic in geopolitical conflicts for the purpose of disrupting infrastructure and essential services.
In an effort to restore connections, more than 30 thousand new devices were allegedly sent to customers. Despite ViaSat refraining from disclosing the exact number of devices affected by the attacks, the European Union Agency for Cybersecurity (“ENISA”) is aware of at least 27 thousand impacted modems.
Despite the international community being in agreement with respect to the purpose of the February 24 attacks in the face of the invasion, with Russia denying to carrying the alleged cyberattacks and without hard evidence, all we have is a mere suspicion. And, although Russia-Ukraine conflict continues to be fought in the physical realm, it showed us how wars between immensely cyber-capable States might play out in the future.
Based on the technical details provided by ViaSat 34 days after the incident, the following are some of the missing security controls that might have prevented the incident involved:
- Exploitation of a misconfiguration in a VPN application, controlled by Skylogi and located in Turin, Italy, that allowed the attackers to gain access to the trusted management segment of the KA-SAT network. Because outsourcing often lies at the heart of the broader vulnerability, promoting a unified cybersecurity policy becomes very challenging.
- Supply chain vulnerabilities. The attacks exploited vulnerability in a third component, specifically a binary file used for DDNS updates. ViaSat’s lack of access to the source code for this component demonstrated a weakness in supply chain security, which highlights the important of evaluating supplier products and ensuring they adhere to strong security practices.
- Inadequate incident response. Given the organizational complexity and geographical dispersion, we seem to have witnessed an apparent lack of coordination between ViaSat, Eutelsat, and Skylogic, which presumably made it unprepared to be a military target.18 A more robust incident response plan, including regular testing and updates, could have helped to minimize the impact of the attack.
- Lack of robust access controls. The attackers were able to execute commands that that wiped the hard drives modems, disrupting services. This highlights the need for stronger access controls to limit the impact for a breach and prevent unauthorized commands from being executed.
- Inadequate firmware security. The attack also targeted ViaSat modems, and the inability to update firmware remotely made it difficult to patch vulnerabilities. This emphasizes the need for robust security at the firmware level and the importance of designing systems with updated capabilities.
In light of current development in cybersecurity of strategic infrastructures, in particular space infrastructures, and cyberwarfare, it is important to consider the following consequences for our security industry:
- Dual-use technologies. Despite being a private firm, ViaSat was serving both civilian and military purposes. At issue is privately-owned companies being considered a military target in times of war. According to an article published by the Center for Strategic & International Studies (“CSIS”) on November 10, 2022, a senior Russian ministry officially warned that commercial satellites “may become a legitimate target of retaliation”.
- Organizational complexity and “responsibility gaps. Despite government or public actors sharing interests with respect to providing a level of security appropriate to these strategic infrastructures, private actors, who oversee them, have little or no incentives to provide more security than the amount which is efficient to provide according to a logic of profitability. In this case, ViaSat had no economic incentives to incur the costs necessary to implement cybersecurity policy which could render the KA-SAT infrastructure “war-proof”, which had consequences for the overall security level of the Ukrainian State, and virtually, for US interests and policies in the region.
To avoid incidents related to the security of cyberspace and in particular space infrastructure, but not only, the following recommendations should be considered:
- An in depth look into the vulnerabilities brought by the entry of the private sector into space infrastructures. The European Union Agency for Cybersecurity (“ENISA”) recommends an extended cybersecurity control framework tailored to the needs of commercial satellite operators, among other things.
- Address “responsibility gaps” in cyberspace.
- Build up critical infrastructures which are reliable, resilient and redundant.
- Develop a defense based on the principle that your system will be breached, in addition to taking into consideration supply chain risks, because cybersecurity is not just a technology problem, it is a people, process and knowledge problem.
- US’ lack of strict security requirements with respect to satellite networks, in addition to constrains by staffing and financial pressures, force most companies to focus on specific parts of the process and outsource the rest. This creates an opportunity for malicious actors to target one or more vendors in the supply chain. A recommendation would be to develop a forward looking, object-based Reliability Standards, which will promote the following objectives: software integrity and authenticity; vendor remote access protections, information system planning; and vendor risk management and procurement control.
- Because even well-designed products may have malicious components introduced in the supply chain, which can be difficult to identify before deployment, it is important to be aware of the vulnerabilities at any link in the chain which could result in risks to the end user. These risks, like the supply chains themselves, are global, multidimensional, and constantly evolving. cyber supply chain risks may stem from insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development processes.
- An important factor to consider is also include an independent assessment or third-party accreditation process of their vendors as part of their supply chain risk management strategy. Such identification would not only help entities increase the level of confidence that vendors’ products and services are effectively implementing supply chain cyber security controls and measures but also aid compliance with the proposed Reliability Standards.
The prominent role of cyber operations in the nearly ten-year Russia-Ukraine war highlights the need to evolve understandings with respect to (1) developing expertise in cyber defense, by setting up firewalls, protecting critical infrastructure, threat hunting, and data migration, as Ukraine did with the assistance of Microsoft and Palo Alto; (2) passing laws permitting data migration to foreign servers for the purpose of safeguarding Ukraine’s data, same as Ukraine did with the help with Google and CISCO; (3) and the law of neutrality.
While the application of the law of neutrality with respect to DDoS attacks is a complex and evolving area of international law, a responsible neutral state should consider balancing its obligation to prevent hostile acts with the practical difficulties of monitoring and controlling its cyber infrastructure and the potential for unintended consequences.