Why did the American company have to completely redo its infrastructure?
The US National Security Agency (NSA), together with the satellite Internet provider Viasat, revealed new details of a resonant cyber attack on the company that occurred last year.
Mark Colaluca, Viasat's vice president of information security, spoke with Christina Walter, head of cybersecurity for the NSA's defense industry, at a recent Black Hat conference. They revealed many new details about the attack, lessons learned from it, and much more.
A cyberattack in February 2022 disabled many Viasat KA-SAT modems in Eastern Europe. It also had other consequences, causing the failure of 5,800 Enercon wind turbines in Germany and the disruption of thousands of organizations across Europe. According to US and EU authorities, the attack on Viasat was purely geopolitical.
Colaluca noted that Viasat's KA-SAT network serves over 100,000 customers in Europe and the Middle East. The company offers both broadband and satellite Internet access, but the attack was targeted primarily at the broadband channel.
Colaluca revealed that the company's operations were in fact disrupted by two separate attacks. According to him, one of the attacks was very sophisticated, and the hackers had a deep understanding of how the Viasat network works. However, for another attack, the attackers did not have to make much effort due to the presence of vulnerabilities within the company's infrastructure.
“One of the biggest lessons for us is that the part of the attack that didn’t require much complexity could possibly be mitigated with a little more digital hygiene and a few extra security measures,” Colaluca explained.
For example, on February 23 last year, hackers targeted Viasat's dispatch center in Turin, Italy, hacking into a VPN that provided network access for the company's administrators and operators. At 17:00 local time, after several unsuccessful attempts, the hackers managed to get into the corporate VPN.
They then gained access to the management servers, which gave them wide access to information about the number of working modems of the company and other numerous data.
A few hours later, the hackers gained access to another server that delivered software updates to modems, which allowed them to deliver a viper that disabled 40 to 45 thousand modems, many of which never recovered their work. All this was done only as part of the first attack.
Colaluca explained that shortly after the incident, he started talking to NSA's Walter due to a lot of inquiries from government agencies across Europe and other regions.
One of the reasons Viasat had difficulty responding was because almost all of the affected modems were in Europe, while the company's headquarters were in the US. Viasat products are sold through distributors who install them for European customers.
Just as Viasat began enlisting the NSA for help, the second attack began. Hackers flooded Viasat systems with requests, overloading them. They managed to take control of thousands of modems and use them to overwhelm incident response systems. This attack made it impossible to restore the modems, at least in that period of time.
When Colaluca took steps to stop this attack, the hackers changed tactics, targeting specific terminals to keep them offline. Colaluca did not specify where these terminals were located, but previous reports indicate that most of them are in Eastern Europe.
Colaluca noted that even after the restoration of the systems, Viasat specialists encountered several other incidents and still continue to be subjected to periodic cyber attacks.
However, the company has learned and upgraded its cybersecurity, so now hackers have to change their tactics much more often in order to somehow tangibly hurt Viasat's infrastructure.
Colaluca also said that Viasat expects the hackers to return sooner or later to repeat the same attack, however, the vice president assured that this is unlikely to be possible, since the company has built a new infrastructure from scratch, which is much less susceptible to such an attack. kind of attacks.
According to Kolaluka, there are some aspects of that attack that are still inexplicable. He told the Black Hat audience that the company still did not know how the attackers managed to gain initial access to the VPN system in Italy, and how they knew that the weak spot was there.
The hackers did not use zero-day vulnerabilities and did not crack default passwords, he noted, briefly mentioning that Viasat also considered the presence of a “mole” in the Italian division, which leaked all the necessary information to the hackers and granted access.
The US National Security Agency (NSA), together with the satellite Internet provider Viasat, revealed new details of a resonant cyber attack on the company that occurred last year.
Mark Colaluca, Viasat's vice president of information security, spoke with Christina Walter, head of cybersecurity for the NSA's defense industry, at a recent Black Hat conference. They revealed many new details about the attack, lessons learned from it, and much more.
A cyberattack in February 2022 disabled many Viasat KA-SAT modems in Eastern Europe. It also had other consequences, causing the failure of 5,800 Enercon wind turbines in Germany and the disruption of thousands of organizations across Europe. According to US and EU authorities, the attack on Viasat was purely geopolitical.
Colaluca noted that Viasat's KA-SAT network serves over 100,000 customers in Europe and the Middle East. The company offers both broadband and satellite Internet access, but the attack was targeted primarily at the broadband channel.
Colaluca revealed that the company's operations were in fact disrupted by two separate attacks. According to him, one of the attacks was very sophisticated, and the hackers had a deep understanding of how the Viasat network works. However, for another attack, the attackers did not have to make much effort due to the presence of vulnerabilities within the company's infrastructure.
“One of the biggest lessons for us is that the part of the attack that didn’t require much complexity could possibly be mitigated with a little more digital hygiene and a few extra security measures,” Colaluca explained.
For example, on February 23 last year, hackers targeted Viasat's dispatch center in Turin, Italy, hacking into a VPN that provided network access for the company's administrators and operators. At 17:00 local time, after several unsuccessful attempts, the hackers managed to get into the corporate VPN.
They then gained access to the management servers, which gave them wide access to information about the number of working modems of the company and other numerous data.
A few hours later, the hackers gained access to another server that delivered software updates to modems, which allowed them to deliver a viper that disabled 40 to 45 thousand modems, many of which never recovered their work. All this was done only as part of the first attack.
Colaluca explained that shortly after the incident, he started talking to NSA's Walter due to a lot of inquiries from government agencies across Europe and other regions.
One of the reasons Viasat had difficulty responding was because almost all of the affected modems were in Europe, while the company's headquarters were in the US. Viasat products are sold through distributors who install them for European customers.
Just as Viasat began enlisting the NSA for help, the second attack began. Hackers flooded Viasat systems with requests, overloading them. They managed to take control of thousands of modems and use them to overwhelm incident response systems. This attack made it impossible to restore the modems, at least in that period of time.
When Colaluca took steps to stop this attack, the hackers changed tactics, targeting specific terminals to keep them offline. Colaluca did not specify where these terminals were located, but previous reports indicate that most of them are in Eastern Europe.
Colaluca noted that even after the restoration of the systems, Viasat specialists encountered several other incidents and still continue to be subjected to periodic cyber attacks.
However, the company has learned and upgraded its cybersecurity, so now hackers have to change their tactics much more often in order to somehow tangibly hurt Viasat's infrastructure.
Colaluca also said that Viasat expects the hackers to return sooner or later to repeat the same attack, however, the vice president assured that this is unlikely to be possible, since the company has built a new infrastructure from scratch, which is much less susceptible to such an attack. kind of attacks.
According to Kolaluka, there are some aspects of that attack that are still inexplicable. He told the Black Hat audience that the company still did not know how the attackers managed to gain initial access to the VPN system in Italy, and how they knew that the weak spot was there.
The hackers did not use zero-day vulnerabilities and did not crack default passwords, he noted, briefly mentioning that Viasat also considered the presence of a “mole” in the Italian division, which leaked all the necessary information to the hackers and granted access.
