Viasat says KA-SAT outage caused by a “cyber event”
UPDATED March 8 with sections in italics.
The KA-SAT satellite internet service is suffering an outage after what its operator Viasat blamed on a suspected “cyber event” that appears to have begun in Ukraine. A major Germany energy company has lost remote monitoring access to over 5,800 wind turbines as a result of the incident, although they continue generating.
The 6,000 kilogram satellite, launched in May 2011, provides broadband services to approximately 30,000 satellite terminals across Europe, which are used by a wide range of different industries — many are contracted to smaller local reseller ISPs who have reported issues downstream to their own customers across Europe.
Viasat told The Stack: “Viasat is experiencing a partial network outage—impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network.”
“Our investigation into the outage continues, but so far we believe it was caused by a cyber event.”
The service has underpinned satellite broadband services in Ukraine for many users for years. During Ukraine’s parliamentary elections of October 28, 2012, for example, the KA-SAT satellite underpinned the real time video monitoring of over 12,600 polling stations, managing 25,000 simultaneous videostreams.
A press release from then-operator Eutelsat at that time suggests that it had numerous terminals in the country, noting that in “four weeks leading up to the election, more than 12,600 KA-SAT terminals were deployed by Datagroup and activated on the KA-SAT network at an average pace of 500 terminals a day.”
Government contracts reviewed by Reuters meanwhile show that KA-SAT has provided internet connectivity to Ukrainian military and police units. Approximately 30,000 terminals across Europe are understood to be affected.
UPDATED March 8: Viasat has not responded to several detailed follow-up questions. Multiple unconfirmed reports suggest that all connected modems’ firmware was wiped by a malign update and modems are now “bricked” — or rendered permanently inoperable. This suggests that Viasat has suffered some compromise. Modems with 07/2021 firmware or newer that were offline during the attack reportedly do still work. Contrary to widespread reports of a physical attack on Russia’s Ukraine invasion, The Stack does not understand Viasat to have any meaningful physical infrastructure in Ukraine. Its 10 gateways are understood to be in Athens, Berlin, Cork, Helsinki, Madrid, Makarios, Palermo, Rambouillet, Trieste and Turin. Know more? Talk to us.
Viasat’s KA-SAT outage: Law enforcement assisting…
A Viacom spokesperson added in an emailed comment: “We are investigating and analyzing our European network and systems to identify the root cause and are taking additional network precautions to prevent further impacts while we attempt to recover service to affected customers.”
The California-headquartered satellite broadband company noted: “Law enforcement and government partners have been notified and are assisting in the ongoing investigation, along with a third-party cybersecurity firm. The investigation is ongoing, but to date, we have no indication that customer data is involved.”
The company has not responded to several detailed follow-up questions.
An email to customers seen and reported by German technology publication Golem.de said: “This appears to have initially started with the KA-SAT service in Ukraine and then spread to almost the entire KA-SAT footprint.”
Viasat also operates encrypted communications services for the US military among other defence services via its constellation of satellites. There was no suggestion that others had been infected in any way.
The incident comes after the NSA in January 2022 warned that “Very Small Aperture Terminal” (VSAT) satellite networks like Viasat’s leave communications over these links “at risk of being exposed and may be targeted by adversaries for the sensitive information they contain or to compromise connected networks.
“Most of these links are unencrypted, relying on frequency separation or predictable frequency hopping rather than encryption to separate communications. Public vulnerability research has found certain terminal equipment vulnerable to compromise and illicit firmware modification. NSA recommends that VSAT networks enable any available transmission security (TRANSEC) protections, segment and encrypt network communications before transmitting across the VSAT links, and keep VSAT equipment and firmware up to date“, the agency added.
KA-SAT cyber-attack: 5,800 wind turbines lose remote monitoring
Among those affected is Germany wind turbine company Enercon.
An Enercon spokesperson told The Stack in an emailed comment: “Due to a massive disruption of the satellite link in Europe, remote monitoring and control of thousands of ENERCON wind energy converters (WECs) is currently not possible. Since Thursday (24 February), a total of 5,800 WECs in central Europe with a total power of 11 gigawatts have been affected by the outage of the link. There is no risk to the WECs. The WECs affected remain in operation and are producing clean renewable energy. Until the problem is resolved, they will operate in automatic mode and are fundamentally capable of self-contained and independent regulation.
“A report was sent to the Federal Office for Information Security (BSI) immediately as a result of the impairment of the critical infrastructure. ENERCON is in close contact with the federal authorities. Intensive efforts are being made to resolve the disruption together with the responsible providers of the satellite communication network. At the same time, ENERCON is supporting the affected operators and owners in setting up alternative communication links in order to restore remote access as quickly as possible.
The company added: “The exact cause of the disruption is not yet known. The communication services went down at almost exactly the same time as the Russian invasion of Ukraine began. Around 30,000 satellite terminals are affected across Europe, which are used by companies and organisations from various sectors. The BSI has been warning of an increased threat since last week and has activated the national IT crisis reaction centre.”
The German Wind Energy Association said only operators who control their turbines via provider Euroskypark are affected. The Saarbrücken-based company offers “connection services and solutions for industrial applications and safety-critical infrastructures”. It did not respond to a request from The Stack for comment.
In 2020 an Oxford University-based security researcher used £270 ($300) of home television equipment to capture terabytes of real-world satellite traffic — including sensitive data from “some of the world’s largest organisations”; demonstrating that an attacker can intercept and even modify VSAT connections using standard satellite television equipment and creating a purpose built forensic tool dubbed “GSExtract” designed to “recover sensitive IP traffic from even highly corrupted maritime VSAT feeds collected on consumer-grade equipment.”
As James Pavur noted at the time, a lack of encryption was a key issue for many: “Satellite transmissions cover vast distances and are subject to speed-of-light latency effects and packet loss which can impair the function of encryption schemes designed for high-reliability terrestrial environments (e.g. by requiring re-transmission of corrupted key materials)… Moreover, satellites themselves are limited in terms of computing capabilities and any on-board cryptographic operation risks trading off with other mission functionality.”