Western intelligence agencies are investigating a cyberattack by unidentified hackers that disrupted high-speed satellite internet access in Ukraine coinciding with the Russian invasion, according to three people with direct knowledge of the incident.
Analysts from the United States National Security Agency, ANSSI, the French government cybersecurity organization, and Ukrainian intelligence services are assessing whether the remote sabotage of an Internet service provider’s service by satellite was the work of Russian state-backed hackers preparing the battlefield by attempting to break communications.
The digital blitz on the satellite service began on February 24 between 5 a.m. and 9 a.m., just as Russian forces began entering and firing missiles, hitting major Ukrainian cities, including the capital, Kiev.
The consequences are still under investigation, but satellite modems belonging to tens of thousands of customers in Europe have been taken offline, according to an official from the American telecommunications company Viasat, owner of the network concerned.
The hackers disabled the modems that communicate with Viasat’s KA-SAT satellite, which provides Internet access to certain customers in Europe, including Ukraine. More than two weeks later, some remain offline, resellers said Reuters.
What appears to be one of the most significant wartime cyberattacks publicly revealed to date has attracted the interest of Western intelligence services, as Viasat acts as a defense contractor for the United States and several allies.
Public contracts examined by Reuters show that KA-SAT provided internet connectivity to Ukrainian military and police units.
Pablo Breuer, a former technologist with the US Special Operations Command, or SOCOM, said the removal of satellite internet connectivity could cripple Ukraine’s ability to fight Russian forces.
“Traditional terrestrial radios only reach so far. If you’re using modern smart systems, smart weapons, trying to do combined arms maneuvers, then you have to rely on those satellites,” Breuer said.
The Russian Embassy in Washington did not immediately return a message seeking comment.
Moscow has repeatedly dismissed allegations of involvement in cyberattacks.
Russian soldiers have besieged Ukrainian towns in what the Kremlin describes as a “denazification” operation that has been denounced by the West as an unprovoked assault and has led to harsh sanctions against Moscow as punishment.
Viasat said in a statement that the disruption to customers in Ukraine and elsewhere was triggered by a “deliberate, isolated and external cyber event,” but has yet to provide a detailed, public explanation of what happened.
“The network has stabilized and we are restoring service and activating endpoints as quickly as possible,” spokesman Chris Phillips said in an email, adding that the company is prioritizing “critical infrastructure and help humanitarian”.
The affected modems seemed completely inoperative, according to Jaroslav Stritecky, who heads Czech telecommunications company INTV.
Normally, he said, the SurfBeam 2 Curved Modems’ four status lights would indicate whether they were connected to the Internet. After the attack, the lights of the devices manufactured by Viasat did not turn on at all.
The Viasat manager said a misconfiguration in the satellite network’s “management section” allowed hackers to remotely access modems, knocking them offline.
He said most of the affected devices would need to be reprogrammed either by a technician on site or at a repair depot and some would need to be replaced.
The Viasat manager was not explicit about what the “management section” of the network was referring to and declined to provide further details.
KA-SAT and its associated ground stations, which Viasat bought last year from European company Eutelsat, are still operated by a subsidiary of Eutelsat.
Eutelsat referred the questions to Viasat.
Viasat has hired US cybersecurity firm Mandiant, which specializes in tracking state-sponsored hackers, to investigate the intrusion, according to two people familiar with the matter.
Spokespeople for the NSA, ANSSI and Mandiant declined to comment.
Viasat said government customers who purchased services directly from the company were unaffected by the disruption.
The KA-SAT network is however operated by a third party, which in turn contracts out the service through various distributors.
Over the past few years, Ukraine’s military and security services have purchased several different communications systems that operate on Viasat’s network, according to contracts published on ProZorro, a Ukrainian transparency platform.
A message seeking comment from the Ukrainian military was not immediately returned.
Some Internet distributors are still waiting to replace their devices.
Stritecky, the Czech telecommunications executive, said he did not blame Viasat.
He recalled coming into work the morning of the invasion and seeing a monitor showing regional satellite coverage in the Czech Republic, neighboring Slovakia and Ukraine, all in red.
“It was immediately clear what happened,” he said.