March 11 (Reuters) - Western intelligence agencies are
investigating a cyberattack by unidentified hackers that
disrupted broadband satellite internet access in Ukraine
coinciding with Russia's invasion, according to three people
with direct knowledge of the incident.
Analysts for the U.S. National Security Agency, French
government cybersecurity organization ANSSI, and Ukrainian
intelligence are assessing whether the remote sabotage of a
satellite internet provider's service was the work of
Russian-state backed hackers preparing the battlefield by
attempting to sever communications.
The digital blitz on the satellite service began on Feb. 24
between 5 a.m. and 9 a.m., just as Russian forces started going
in and firing missiles, striking major Ukrainian cities
including the capital, Kyiv.
The consequences are still being investigated but satellite
modems belonging to tens of thousands of customers in Europe
were knocked offline, according to an official of U.S.
telecommunications firm Viasat, which owns the affected network.
The hackers disabled modems that communicate with Viasat
Inc's KA-SAT satellite, which supplies internet access to some
customers in Europe, including Ukraine. More than two weeks
later some remain offline, resellers told Reuters.
What appears to be one of the most significant wartime
cyberattacks publicly disclosed so far has piqued the interest
of Western intelligence because Viasat acts as a defense
contractor for both the United States and multiple allies.
Government contracts reviewed by Reuters show that KA-SAT
has provided internet connectivity to Ukrainian military and
police units.
Pablo Breuer, a former technologist for U.S. special
operations command, or SOCOM, said knocking out satellite
internet connectivity could handicap Ukraine’s ability to combat
Russian forces.
"Traditional land-based radios only reach so far. If you’re
using modern smart systems, smart weapons, trying to do combined
arms maneuvers, then you must rely on these satellites," said
Breuer.
The Russian Embassy in Washington did not immediately return
a message seeking comment. Moscow has repeatedly rejected
allegations that it participates in cyberattacks.
Russian soldiers have besieged Ukrainian cities in what the
Kremlin describes as a "de-Nazification" operation that has been
denounced by the West as an unprovoked assault and led to severe
sanctions against Moscow as punishment.
MODEMS INOPERATIVE
Viasat said in a statement that the disruption for customers
in Ukraine and elsewhere was triggered by a "deliberate,
isolated and external cyber event" but has yet to provide a
detailed, public explanation of what happened.
"The network is stabilized and we are restoring service and
activating terminals as quickly as possible," spokesperson Chris
Phillips said in an email, adding that the company was
prioritizing "critical infrastructure and humanitarian
assistance."
The affected modems appeared to be completely inoperative,
according to Jaroslav Stritecky, who runs Czech
telecommunications company INTV. Normally, he said, the four
status lights on the curved, SurfBeam 2 modems would indicate
whether they were connected to the internet. After the attack,
the lights on the Viasat-made devices would not turn on at all.
The Viasat official said a misconfiguration in the
"management section" of the satellite network had allowed the
hackers remote access into the modems, knocking them offline. He
said most of the affected devices would need to be reprogrammed
either by a technician on site or at a repair depot and that
some would have to be swapped out.
The Viasat official wasn’t explicit about what the
"management section" of the network referred to and declined to
provide further details. KA-SAT and its associated ground
stations, which Viasat purchased last year from European company
Eutelsat, are still operated by a Eutelsat subsidiary.
Eutelsat referred questions back to Viasat.
Viasat has hired U.S. cybersecurity firm Mandiant, which
specializes in tracking state-sponsored hackers, to investigate
the intrusion, according to two people familiar with the matter.
Spokespeople for the NSA, ANSSI, and Mandiant declined to
comment.
Viasat said government clients who procured services
directly from the company were unaffected by the disruption. The
KA-SAT network is operated, however, by a third party, which in
turn farms out service through various distributors.
Over the past several years Ukraine's military and security
services have purchased several different communications systems
that run over Viasat’s network, according to contracts posted on
ProZorro, a Ukrainian transparency platform.
A message seeking comment from the Ukrainian military was
not immediately returned.
Some internet distributors are still waiting to replace
their devices.
Stritecky, the Czech telecom executive, said he did not
blame Viasat.
He recalled coming into work on the morning of the invasion
and seeing a monitor showing regional satellite coverage in the
Czech Republic, neighboring Slovakia, and Ukraine all in red.
"It was immediately clear what happened," he said.
(Reporting by James Pearson, Raphael Satter, Christopher Bing
and Joel Schectman; Editing by Chris Sanders and Grant McCool)