The big Euro Sat Hack should be a warning to all of us


Military and civilian security researchers have been warning us for years: cyberattacks are becoming a very real part of modern warfare. Cyberattacks are not just limited to military targets, but can also destroy everything from vital public infrastructure to commercial and industrial operations.

In the early hours of February 24, as the invading Russian forces began raining missiles on Ukrainian cities, another attack in the digital realm was underway. Suddenly, satellite terminals across Europe went offline, and many suffered permanent damage from the attack.

Details remain hazy, but researchers and military analysts have gathered a picture of what happened that night. The Great Euro Sat Hack is proving to be the latest example of how vulnerable our digital infrastructure can be in times of war.

A network is only as secure as its weakest point

The KA-SAT satellite, operated by the US company Viasat, was launched in 2010. It is intended to provide broadband satellite internet across Europe, with limited coverage also extending to parts of the Middle East. The customers of the service include private users throughout Europe as well as many industrial systems.

5,800 wind turbines lost their satellite data connections during the attack, jeopardizing remote monitoring of the hardware. Service was restored through a combination of replacing affected satellite modems and installing additional cellular/LTE data links. Source: ENERCON press page

On February 24, when Russian forces began their all-out invasion of Ukraine, the KA-SAT system was also attacked. Thousands of terminals suddenly went offline in the early hours of the morning. Far from being limited to Ukraine, all users in Greece, Poland, Italy, Hungary and Germany were affected.

Remarkably, the management systems of 5,800 wind turbines in Germany were left in the dark as the attack raged. When the satellite connections failed, it was no longer possible to monitor the wind turbines using SCADA systems. Fortunately, according to the operator ENERCON, the grid stability was not affected, as the grid operators retain control over the wind power feed-in to the grid using other methods.

Early reports speculated that a simple distributed denial of service (DDoS) attack could have been to blame. This type of attack, which uses a flood of traffic to overwhelm a network or server, is simplistic and short-lived.

However, it quickly became apparent that a much more serious attack had taken place. Researchers analyzing the fallout found that many terminals were permanently offline and inoperable. Information slowly trickled out from various sources that suggested the satellite itself had not been tampered with, damaged, or physically attacked in any way. Therefore, the problem was probably in the ground segment of the KA-SAT network.

Official statements noted that the consumer-grade Surfbeam2 modems were a primary target of the attack. This raises questions about how the attack then impacted Germany’s energy infrastructure, which is expected to use a more industry-specific solution. Photo credit: Viasat

A little over a month after the attack, Viasat released a statement explaining the scale and nature of the attack. According to the company’s report, the action began at 03:02 UTC with a denial of service attack propagated by users using SurfBeam 2 and Surfbeam2+ modems on a consumer-facing section of the KA-SAT network. Located in Ukraine, these modems generated large amounts of malicious traffic and prevented legitimate users from staying online. Viasat’s technical teams worked to block these malicious modems from the network, with more emerging as the team shut them down.

During this time, modems on this network partition were gradually taken offline. This accelerated at 4:15 am, resulting in a mass exodus of modems connecting to the KA-SAT network across Europe, all on the same consumer network partition. The missing modems were gone for good, and no one tried to reconnect to the satellite network.

Subsequent analysis showed that a breach about “misconfiguration in a VPN appliance” had occurred in the management systems of the KA-SAT network. The attackers accessed the management network and used it to issue commands to home modems on the network, corrupting the onboard flash memory and rendering it inoperable.

As a result, security researcher Ruben Santamarta was able to get his hands on an affected Surfbeam2 modem, as well as another clean device that was unaffected by the attack. The dumping of flash memory from both modems was revealing. The compromised modem had badly damaged flash memory compared to the original, leaving the modems in a non-working state. In some cases, the damage was so extensive that affected modems did not even display status lights when switched on. 0,000 replacement modems were eventually sent out to customers to get them back online in the weeks following the attack.

There are still some questions to be answered about the attack. It’s unclear exactly how the attackers penetrated the management segment of the KA-SAT network, and the company is reluctant to publicize the incident. The early DDOS attack, followed by modem bricking, also suggests a well-planned, multi-stage attack, suggesting the hack was planned well in advance. There are also supplementary questions, such as why Germany’s power infrastructure was hit by an attack said to be limited to home modems and a consumer-facing network segment.

These specifics are of interest to security researchers and stakeholders in the organizations concerned. More broadly, however, it shows that cyberattacks can and will be used against real-world infrastructures in wartime. Additionally, impacts are not necessarily limited to target areas or the military. Such an attack can all too easily have far-reaching downstream effects if our networks span national borders.

Overall, it’s a chilling reminder of the vulnerabilities inherent in much of our infrastructure. This time it was the satellite internet, another time the water supply or the health system. In all of these cases, the stakes are high, so there are many reasons to invest in increasing security wherever possible.


About Author

Comments are closed.