Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say

The cyberattack that cut communications for thousands of European users of Viasat’s satellite broadband service last month was carried out by hackers compromising and exploiting the system that manages customer terminals, two Viasat officials told Air Force Magazine.

The attack, which happened as Russian forces rolled into Ukraine on Feb. 24, affected tens of thousands of terminals in Ukraine and across Europe, which were part of the KA-SAT network, a satellite broadband asset that Viasat bought last year from French satcom giant Eutelsat. End users affected included some in the Ukrainian military, and the attack dramatically demonstrated the vulnerability of commercial satellite communications capabilities on which the U.S. military increasingly relies.

“The terminal management network … that manages the KA-SAT network, and manages other Eutelsat networks—that network was penetrated,” said one Viasat official. “And from there, the hackers were able to launch an attack against the terminals using the normal function of the management plane of the network.”

The official added that Viasat shared information about the hack with DOD and law enforcement agencies. Viasat is one of the commercial satcom companies that are part of the Commercial Integration Cell, or CIC. Located at Vandenberg Space Force Base, Calif., the CIC is based in the Combined Space Operations Center, part of U.S. Space Command, and exists to share “real‐time and near real‐time information … during daily routine operations and to enable rapid, informed response to critical unplanned space events,” according to a fact sheet from Vandenberg public affairs.

Under the transition agreement governing the KA-SAT acquisition, the KA-SAT networks had continued to be managed by Skylogic SPA, an Italian subsidiary of Eutelsat, along with other Eutelsat networks, the Viasat officials said.

The first official contended that the attack would not have succeeded on the global network directly managed by Viasat. “The controls that we have on our … Viasat operated networks would have stopped this. These events that we saw on this [KA-SAT] network, the same effects would not have worked on our global network.”

The Viasat officials said that the attack did not affect users of the KA-SAT network who bought their broadband directly from Viasat, only users inherited as part of the Eutelsat deal.

“Even on that [KA-SAT] network, none of our mobility and none of our government customers were affected—the controls we have around those users kept them safe,” said the first official.

Although the timing of the attack—as Russian tanks rolled across the border—might appear highly suggestive, the Viasat officials said they were not in a position to attribute it to any particular actor.

This week, a senior White House official told reporters that the U.S. government was not yet making any public attribution, either. “We have not yet attributed that attack, but we’re carefully looking at it because … of the impact not only in Ukraine but also in satellite communication systems in Europe as well,” Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger said at a briefing March 21.

She added that the sophistication of the attack, along with its timing, were “certainly factors that … we’re looking at carefully as we look at who is responsible.”

The attack compromised the management plane—the part of the network that controls customer terminals to ensure they can communicate with the satellite, the Viasat officials said. The hackers had abused that functionality to change the software configuration on the terminals and render them inoperable.

But, contrary to some early reports, the attack did not brick the terminals. “It did not make them permanently inoperable,” said the second official. “Every single terminal that was knocked off the air can be brought back with a software update.” Although the network is generally capable of updating terminals over the air, by downloading new software via the satellite link, many of the terminals attacked cannot be brought back online by the customer, and so can’t get the required update over the air. Those will have to be updated by tech support staff, the first official said.

Viasat is replacing some terminals altogether, but only as a matter of convenience, the first official added. “In some cases, it’s easier to just ship new terminals than it is to send a tech out. So there’s a combination of some we’re restoring over the air, some where a tech has to come out and restore, and some where we’re just shipping new terminals.”

Viasat has not disclosed the exact number of terminals affected, but the second official said it was “tens of thousands.” The company said no customer or end-user data was compromised.

Viasat’s response to the hack had been complicated by a number of factors, the officials said. KA-SAT had been a “bandwidth wholesaler,” making deals with distributors and resellers in each European market.

“In the case of the Ukrainian military, in some instances, but also some other users in other countries, they bought commercial [satcom] services through the distributors and then used them for the military,” said the first official. “Because of the distributor relationship, there was a level of abstraction between us and those customers. And so we didn’t even necessarily know who the customers were, or how they were using these assets.”

Moreover, the fact that the distributors had the customer relationship with the end user complicated the process of refurbishing or replacing the inoperable terminals, the first official added. “As we restore the terminals, we send them to the distributors, and it’s the distributors’ responsibility to send them to the users.” Some distributors were “fantastic. And they get them right out to the users.” Others faced challenges due to the ongoing COVID-19 pandemic or other factors and are “sitting on them in their warehouses.”

Despite this, Viasat was now bringing “thousands of terminals back online per day, and will have the network completely restocked and back to full capacity within a few weeks,” the first official said.

The attack prompted a warning to U.S. satellite operators from the FBI and the Cybersecurity and Infrastructure Security Agency, or CISA, the DHS agency responsible for working with the private sector to protect vital American industries such as telecommunications and health care.

Editor’s Note: This story was updated at 3:15 p.m. on March 25 to correct some technical issues with how the KA-SAT network and other assets were described.