The biggest hack since Russia’s war began knocked thousands of people offline. The spillover extends deep into Europe.
More than 22,000 miles above Earth, the KA-SAT is locked in orbit. Traveling at 7,000 miles per hour, in sync with the planet’s rotation, the satellite beams high-speed internet down to people across Europe. Since 2011, it has helped homeowners, businesses, and militaries get online. However, as Russian troops moved into Ukraine during the early hours of February 24, satellite internet connections were disrupted. A mysterious cyberattack against the satellite’s ground infrastructure—not the satellite itself—plunged tens of thousands of people into internet darkness.
Among them were parts of Ukraine’s defenses. “It was a really huge loss in communications in the very beginning of war,” Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, the State Services for Special Communication and Information Protection (SSSCIP), reportedly said two weeks later. He did not provide any more details, and SSSCIP did not respond to WIRED’s request for comment. But the attack against the satellite internet system, owned by US company Viasat since last year, had even wider ramifications. People using satellite internet connections were knocked offline all across Europe, from Poland to France.
Almost a month after the attack, the disruptions continue. Thousands still remain offline across Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine’s borders. But questions about the details of the attack, its purpose, and who carried it out remain—although experts have their suspicions.
Satellite internet connections are often used in areas with low cable coverage and are used by everyday citizens, as well as official organizations. The setup is different from your typical home or office Wi-Fi network, which mostly rely on wired broadband connections. “Satellite communications are composed of three main components,” says Laetitia Cesari Zarkan, a consultant at the United Nations Institute for Disarmament Research and a doctoral student at the University of Luxembourg. First, there is the spacecraft that’s in orbit, which is used to send “spot beams” back to Earth; these beams provide internet coverage to specific areas on the ground. These beams are then picked up by a satellite dish on the ground. They can be attached to the sides of buildings but also are on planes and power inflight Wi-Fi. And finally, there are ground networks, which communicate with and can configure people’s systems. “The ground network is a collection of earth stations connected to the internet by fiber-optic cables,” Zarkan says.
Aside from Zhora’s comment, the Ukrainian government has remained tight-lipped about the attack. However, satellite communications, also known as SATCOM, appear to be frequently used in the country. Ukraine has the world’s most transparent system for tracking government spending, and multiple government contracts show that the SSSCIP and police have purchased the technology. For instance, during Ukraine’s 2012 elections, more than 12,000 satellite internet connection points were used to monitor voting, official documents spotted by European cybersecurity firm SEKOIA.IO show.
“To disrupt satellite communications, most people—myself included—would look at the signal in space, because it’s exposed,” says Peter Lemme, an aviation specialist who also writes about satellite communications. “You can transmit signals toward the satellite that would effectively jam its ability to receive signals from legitimate modems.” Elon Musk has claimed that Starlink satellite systems he sent to Ukraine have faced jamming attacks.
However, the attack against Viasat may not have involved jamming. The attack against the network was a “deliberate, isolated, and external cyber event,” according to Viasat spokesperson Chris Phillips. The attack only impacted fixed broadband customers and didn’t cause disruption to airlines or Viasat’s US government clients, the company says, and no customer data was impacted. However, people’s modems have not been able to connect to the network, and they have been “rendered unusable.”
On Tuesday, Viasat chair Mark Dankberg told a satellite conference that the company purchased the KA-SAT in Europe last year, and its customer base is still being operated by a third party as part of the transition. “We believe for this particular event it was preventable, but we didn’t have that capability in that case,” Dankberg said, confirming that thousands of modems were taken offline. “In most of the cases of the modems that went offline, they need to be replaced. They can be refurbished, so we’re recycling modems through,” Dankberg said.
“There is no evidence to date of any impairment to the KA-SAT satellite, core network infrastructure, or gateways due to this incident,” Phillips says in a statement. Instead, Viasat says the cyberattack was the result of a misconfiguration in a “management section” of its network, as first reported by Reuters. The company declined to provide any more details on the technical nature of the incident, citing ongoing investigations. Viasat says it is now focusing on recovering from the partial outage.
No government has officially attributed the attack to Russia, despite speculation it may have caused the attack to disrupt communications in Ukraine. Dankberg told CNBC on Monday that he couldn’t confirm whether Russia was behind the attack and that governments would be the source of such attribution. It is rare for governments to quickly attribute cyberattacks to a country or actor, as investigations are complex and take time to complete.
However, Western officials say the attack would be in keeping with Russia’s playbook. “Were it to be attributed ultimately to Russia, it would very much fit within what we would expect them to do, which is to use their cyber capabilities to ultimately support their military campaign,” Western officials told reporters during an on-background briefing last week. The US National Security Agency (NSA), and ANSSI, France’s cybersecurity agency, are investigating the hack. The US Federal Bureau of Investigation has issued an advisory with the US Cybersecurity and Infrastructure Security Agency (CISA) that warns of SATCOM hacks. “CISA remains concerned about the threat to US and allies’ satellite communications networks,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement.
Hacking threats to SATCOM aren’t new. In 2014 security researcher Ruben Santamarta published research showing the many ways satellite communications could potentially be hacked. In 2018, Santamarta’s follow-up research demonstrated how this could be done, including a focus on satellite systems in military situations. Santamarta says it is possible the attackers in the Viasat case—although their identity and motive are unknown—may have been able to deploy a malicious firmware update that sabotaged customer modems.
“We have the option that the intended goal of the attackers was to actually break the terminals in order to disable the communications,” Santamarta says. “Or maybe they were expecting to deploy a specific payload to maybe eavesdrop on communications and something went wrong and the terminals were bricked. At this point, we don’t know what really happened.”
While many of the details of the Viasat hack are still unraveling—independent security researchers are examining the code on bricked modems—its impacts have been widely felt. The cyberattack appears to be a prominent example of spillover, where an attack spreads, either intentionally or accidentally, beyond its original target. In the months leading up to Russia’s invasion of Ukraine, cybersecurity experts and governments warned that spillover damage is a huge international threat. In June 2017, for example, Russia’s NotPetya worm spread beyond its original targets in Ukraine and caused more than $10 billion of damage around the world.
“It looks like the clearest example of spillover, whether it was or was not the most disruptive activity that was undertaken at the time,” Western officials say of the Viasat incident. The fallout seems to have spread far and wide. Satellite internet providers in Germany, the UK, France, the Czech Republic, and more saw their services impacted by the outage. Users on a satellite internet forum reported problems as far away as Morocco. “It’s hard to go for a week without the internet, but if there is no other alternative access, you just have to wait,” one user in Poland complained. The EU Agency for Cybersecurity, which is also investigating the incident, says it is aware of 27,000 users impacted by the outage, a figure first reported by WIRED Italy.
In one of the first signs the hack was taking place, more than 5,800 wind turbines belonging to the German energy company Enercon were knocked offline. The disruption did not stop the turbines from spinning, but it means they can’t be reset remotely if there is a fault, says Enercon spokesperson Felix Rehwald. So far Enercon has managed to get 40 percent of the affected turbines back online, and its teams are replacing their satellite modems. “We do not believe that it was aiming at us or our customers. It seems that we are sort of ‘collateral damage,’” Rehwald says.
The recovery from the incident is likely to take more time. Viasat says it is getting hundreds of customers online every day and providing people with new modems or issuing software updates that can fix their systems remotely. Jaroslav Stritecky, the CEO of Czech internet provider INTV, says the company has been contacting all of its SATCOM customers to see if they need new modems, and it will likely need to replace the majority of those that were affected. Stritecky says the work may be completed by the end of March. “The question is if there are enough new modems to provide or to support everyone,” he adds.
So far, satellites have played an important role during the war in Ukraine. They’ve been used to capture intelligence on Russian troop movements and provided an essential way for people to communicate. But there may be legal issues that unfold around the hack. Almudena Azcárate Ortega, an associate researcher at the United Nations Institute for Disarmament Research, points out that as satellite systems are used for both civilian and military purposes by multiple countries, they can sit in a complex area when it comes to international law.
“If you target a satellite that is providing certain services to a specific country involved in a conflict, you might also be depriving a neutral country of the services that same satellite provides, therefore breaching that rule of neutrality,” Ortega says. “The reverberating effects of attacking these infrastructures can have effects that would be very deeply felt by civilians.”