US, EU attribute Viasat hack to Russia

The cyber attack on Viasat that shut down satellite services for several thousand in Ukraine has now been officially tied to Russia.

On February 24, a cyber attack targeted the U.S.-based communications company's KA-SAT network, which provides internet service to customers in Europe. Viasat confirmed the attack nearly one month later, stating that while the impact was limited to Europe, including customer premise equipment physically located within Ukraine, the network remained offline for several days. In order to restore service, Viasat shipped nearly 30,000 replacement SurfBeam2 and SurfBeam 2+ modems to distributors.

Viasat cited disruption of service as the motive behind the attack and hired Mandiant to investigate. 

While the timing and target of the attack raised suspicions, statements issued Tuesday by the United Kingdom's National Cyber Security Centre, the U.S. State Department and the Council of the European Union formally attributed the Viasat hack to Russia. One notable detail revealed the attack occurred one hour prior to the Russian military's invasion of Ukraine.

The U.S. supported Viasat's initial analysis and cited the purpose of the attack was to "disrupt Ukrainian command and control during the invasion."

Similarly, the U.K. suspected the Ukrainian military was the primary target, though residential and commercial customers were also affected, according to the statement. Wind farms and internet users located in Central Europe suffered from the attack as well.

The risk of spillover attacks was addressed by vendors and analysts following Russia's invasion of Ukraine in February. The EU also expressed concern in the statement Tuesday.

"Cyberattacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe's citizens at risk," the EU wrote.

Now, it goes beyond the matter of "could" as more victims emerge to reveal a broader attack scope than initially reported.

"This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, business and users in Ukraine, as well as affected several EU Member States," the EU wrote in the statement.

The U.S. and U.K. each confirmed Russia's actions caused spillover impacts into other European countries as well. The U.K. referred to it as "Europe-wide impact," though it is unclear just how widespread the damage was or which countries were affected.

This is not the first link between Russia and the attack on Viasat. In late March, SentinelOne assessed "with medium confidence" that a new wiper malware dubbed "AcidRain" may have been involved in disrupting the communications company. SentinelOne researchers discovered similarities in development and code used by the Russian APT known as Sandworm, which was responsible for the WannaCry ransomware attack in 2017.

However, the Viasat hack was just one in a string of attacks leading up to Russia's invasion of Ukraine that utilized wipers. The government also formally attributed a series of DDoS attacks dating back to January, plus the deployment of a new data wiping malware Microsoft named WhisperGate, to Russia.

"These disruptive cyber operations began in January 2022, prior to Russia's illegal further invasion of Ukraine and have continued throughout the war," the U.S. wrote.