Daily news

KA-SAT Network cyber attack overview

Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service.

On 24 February 2022, a multifaceted and deliberate cyber-attack against Viasat’s KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. While most users were unaffected by the incident, the cyber-attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe. This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl ("EBI"), the wholesale broadband services business created as part of Viasat's former partnering arrangement with Eutelsat. The residential broadband modems affected use the “Tooway” service brand. This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite. Similarly, the cyber-attack did not affect users on other Viasat networks worldwide.

Network stabilization and security mitigation actions began immediately, and the network was largely stabilized within hours and fully stabilized within several days. Viasat also undertook proactive operational measures to ensure other essential back-office applications and reporting/analytics services were not impacted. These actions were strictly precautionary while Viasat monitored network behavior and activity.

Viasat, alongside the third-party incident response and forensics leader Mandiant, are continuing to work with Eutelsat/Skylogic, as well as law enforcement and U.S. and international government agencies to investigate the cyber-attack. That investigation is still ongoing. We believe the purpose of the attack was to interrupt service. There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.

Viasat is working closely with the wholesale distributors to bring their customers back online. Because of the wholesale nature of the business, Viasat does not typically transact directly with end-users – instead the distributors work directly with end-customers and can identify those affected to provide support for restoring service. Certain end-customer modems promptly received over-the-air updates, but where such updates are insufficient to timely restore functionality, new modems are being provided as the most efficient way to restore service. Viasat has already shipped tens of thousands of replacement modems to distributors and is ready to ship additional modems as needed. 

Incident Summary

At approximately 0302 UTC on 24 February 2022, high volumes of focused, malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.

As Viasat personnel engaged with Skylogic personnel to triage the situation, and worked to force the malicious modems offline, other modems emerged on the network to continue the targeted traffic-based attack throughout the next several hours, degrading the ability of legitimate modems to enter or otherwise remain active on the network.

Around the same time, Viasat and Skylogic began to observe a gradual decline in the number of modems online in the same commercial-oriented partition. This gradual decline of connected modems continued until approximately 0415 UTC, when Viasat and Skylogic observed larger numbers of modems across much of Europe exiting the network over the course of about 45 minutes. All of these modems are serviced by the same consumer-oriented service partition.

Ultimately, tens of thousands of modems that were previously online and active dropped off the network, and these modems were not observed attempting to re-enter the network. The attack impacted a majority of the previously active modems within Ukraine, and a substantial number of additional modems in other parts of Europe.

Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.

Viasat has conducted an exhaustive analysis of impacted modems and confirmed no anomalies or impacts to any electrical components, no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. The modems can be fully restored via a factory reset. To date, Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack. 

Mitigation and Restoration

Viasat worked with Skylogic to implement several mitigation and recovery actions to restore network stability, preserve continuing service for unaffected end-customers and mitigate or prevent similar attacks.  Viasat is leveraging the lessons learned from this incident to further enhance the security features of its products. As this is an ongoing investigation, and to preserve Viasat’s and Skylogic’s ability to safely and securely provide service on the KA-SAT network, specific technical details on those mitigation actions will not be shared publicly at this time.  

Throughout the course of the investigation, Viasat continued to provide broadband services to unaffected end-customers, as well as mobility and Viasat government customers who were unaffected by this attack.  

Since the attack, Viasat has worked with its distributors to restore service to all customers whose modems were rendered inoperable. Viasat has already shipped nearly 30,000 modems to distributors to bring customers back online. Viasat continues to provide immediately functional modems to distributors who request them so they can support expedited service restoration and impact mitigation for affected end-customers.

Viasat, Mandiant and Skylogic are continuing to cooperate with various law enforcement and government agencies around the world.

Background: KA-SAT network and transition agreement between Viasat and Eutelsat

Eutelsat launched commercial broadband service from the KA-SAT satellite on 31 May 2011.

In April 2021, Viasat completed the purchase of EBI, the wholesale broadband services business created as part of Viasat's former partnering arrangement with Eutelsat as well as the KA-SAT satellite asset and corresponding ground infrastructure. Skylogic, a subsidiary of Eutelsat, continues to operate and support the ground segment operations of the KA-SAT network on Viasat’s behalf, an arrangement that was originally expected to end sometime later this year. Currently, Viasat is the wholesale provider of satellite broadband services to end-customers served by the KA-SAT network, and its independent network of distributors market and sell these services to primarily residential customers.