bjdlzx | Getty Images
More than 22,000 miles above Earth, the KA-SAT is locked in orbit. Traveling at 7,000 miles per hour, in sync with the planet’s rotation, the satellite beams high-speed internet to people across Europe. Since 2011, it has been helping homeowners, businesses and military personnel to go online. However, when Russian troops entered Ukraine in the early hours of February 24, satellite internet connections were disrupted. A mysterious cyberattack on the satellite’s ground infrastructure – not the satellite itself – plunged tens of thousands of people into Internet darkness.
Among them were parts of the defense of Ukraine. “It was really a huge loss in communications at the very beginning of the war,” Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, the State Services for Special Communications and Information Protection (SSSCIP), reportedly said two weeks later. He did not provide further details and SSSCIP did not respond to WIRED’s request for comment. But the attack on the satellite internet system, which has been owned by the American company Viasat since last year, had even greater consequences. People using satellite internet connections were taken offline across Europe, from Poland to France.
The disruptions continue for nearly a month after the attack. Thousands are still offline in Europe – about 2,000 wind turbines are still disconnected in Germany – and companies race to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to have occurred since Russia invaded Ukraine, and it is notable for its impact beyond Ukraine’s borders. But questions remain about the details of the attack, its purpose and who carried it out, although experts have their suspicions.
Satellite Internet connections are often used in areas with low cable coverage and are used by ordinary citizens as well as official organizations. The setup is different from your typical home or office Wi-Fi network, which usually relies on thenewsupdate broadband connections. “Satellite communications are made up of three main components,” said Laetitia Cesari Zarkan, a consultant at the United Nations Institute for Disarmament Research and a doctoral student at the University of Luxembourg. First, there’s the orbiting spacecraft used to send “spot beams” back to Earth; these beams provide internet coverage for specific areas on the ground. These rays are then picked up by satellite dishes on the ground. They can be attached to the sides of buildings or on airplanes to power in-flight Wi-Fi. And finally, there are ground networks, which can communicate with and configure people’s systems. “The ground network is a collection of ground stations that are connected to the internet via fiber optic cables,” Zarkan says.
Aside from Zhora’s comment, the Ukrainian government has kept quiet about the attack. However, satellite communication, also known as satcom, seems to be widely used in the country. Ukraine has the world’s most transparent system for tracking government spending, and multiple government contracts show that the SSSCIP and the police have bought the technology. For example, during the 2012 elections in Ukraine, more than 12,000 satellite internet connection points were used to monitor the vote, according to official documents discovered by European cybersecurity firm SEKOIA.IO.
“To disrupt satellite communications, most people, myself included, would look at the signal in space, because it’s visible,” said Peter Lemme, an aviation specialist who also writes about satellite communications. “You can send signals to the satellite that would effectively hinder its ability to receive signals from legitimate modems.” Elon Musk has claimed that Starlink satellite systems he has sent to Ukraine have been subject to jamming attacks.
However, the attack on Viasat should not be accompanied by jamming. The attack on the network was a “deliberate, isolated and remote cyber event,” Viasat spokesman Chris Phillips said. The attack only affected fixed broadband customers and caused no disruption to airlines or Viasat’s U.S. government customers, the company says, and no customer data was compromised. However, people’s modems have been unable to connect to the network and have been “disabled”.
On Tuesday, Viasat chairman Mark Dankberg told a satellite conference that the company purchased the KA-SAT in Europe last year and that its customer base is still managed by a third party as part of the transition. “We think it was preventable for this particular event, but in that case we didn’t have that option,” Dankberg said, confirming that thousands of modems had been taken offline. “In most cases of the modems that have gone offline, they need to be replaced. They can be refurbished, so we recycle modems,” says Dankberg.
“There is no evidence to date of any compromise to the KA-SAT satellite, core network infrastructure or gateways as a result of this incident,” Phillips said in a statement. Instead, Viasat says the cyber-attack was the result of a misconfiguration in an “administrative part” of its network, as first reported by Reuters. The company declined to provide more details about the technical nature of the incident, citing an ongoing investigation. Viasat says it is now focusing on repairing the partial outage.