It turns out the only thing Russian forces needed to knock thousands of Ukrainian satellite broadband customers offline was a misconfigured VPN.

Viasat, whose Ukrainian satellite broadband service was knocked offline the day Russia invaded Ukraine, said its analysis of the attack revealed a poorly configured VPN appliance was used by the attacker to access the trusted management section of the KA-SAT satellite network. 

The attacker gained access to the segment of the network used to manage and operate it, and then pushed legitimate, yet malicious, commands to residential modems in Ukraine and several other European countries. 

“These destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable,” Viasat said today. 

The KA-SAT satellite, which provides broadband access to customers in several countries, was not directly affected by the attack, which was confined to a single consumer-oriented partition of its network.

Viasat also said that it had no evidence end-user data was accessed or compromised, no evidence that customer equipment was accessed (aside from the command that was run) and no signs that the satellite or its ground infrastructure were affected. 

It’s not over yet

Viasat said that any modems not bricked by the attack received firmware updates that should mitigate future onslaughts. That’s timely given what an unnamed Viasat representative told Reuters: The attacks are still happening. 

While Viasat has resisted the attacks so far, the official said the attackers continue to adapt to their mitigations and defenses. The investigation is ongoing, and Viasat said elsewhere it was leaving out some specifics, but it believes the attacks were designed to interrupt service. If the assailants are continuing to push, they’re still attempting to disrupt satellite broadband in Ukraine. 

Owners of functioning Tooway brand SurfBeam2 and SurfBeam 2+ modems from Eutelsat should be sure they patch now.

Modems are physically fine, but still broken

Viasat’s analysis of modems that were affected by the attack found no evidence of hardware damage, software or firmware tampering or supply-chain interference. That’s not much comfort for many customers still unable to get online, but it does mean that affected modems, once returned to Viasat, can be reset and reused.

Thirty-thousand modems have already been sent to distributors (Viasat is a service wholesaler that works with local ISPs), and Viasat said it will continue to send them out to any distributor that requests them “so they can support expedited service restoration and impact mitigation for affected end customers.” ®