WASHINGTON — A cyberattack that disrupted satellite communications in Ukraine in the hours leading up to the Feb. 24 invasion was the work of the Russian government, the United States and European countries said Tuesday, officially laying blame for an attack that rocked Pentagon officials and private industry because it exposed new vulnerabilities in global communications systems.
In a series of coordinated statements, the governments blamed Moscow but did not explicitly name the organization that led the sophisticated effort to block Ukrainian communications. But US officials, speaking on condition of anonymity on the details of the findings, said it was Russia’s military intelligence agency, the GRU – the same group responsible for hacking into the Democratic National Committee in 2016 and a series of attacks against the United States. and Ukraine.
“This unacceptable cyberattack is another example of Russia’s continued irresponsible behavior in cyberspace, which is also an integral part of its illegal and unwarranted invasion of Ukraine,” said Josep Borrell Fontelles, the EU’s top diplomat. European, in a press release. “Cyberattacks targeting Ukraine, including against critical infrastructure, could spread to other countries and have systemic effects endangering the security of European citizens.”
The attack centered on a system run by Viasat, a California company that provides high-speed satellite communications services – and was used extensively by the Ukrainian government. The attack came weeks after some Ukrainian government websites were hit by “cleaner” software that destroys data.
The Viasat attack appeared intended to disrupt Ukraine’s command and control over its troops during the critical early hours of the Russian invasion, US and European officials said. The hack also disconnected thousands of civilians in Ukraine and across Europe from the internet. It even thwarted the operation of thousands of wind turbines in Germany that relied on Viasat technology to monitor conditions and control the wind turbine network.
Viasat immediately launched an investigation and called on Mandiant, the cybersecurity company, to write a report. While Viasat released its initial findings in March, the more in-depth studies have not been made public.
Nevertheless, these first conclusions were striking: to hide space satellites, hackers never had to attack the satellites themselves. Instead, they focused on ground modems, devices that communicated with satellites. A senior government official said the vulnerability of such systems was “a wake-up call”, raising concerns in the Pentagon and in US intelligence agencies, which fear that Russia or China could exploit similar vulnerabilities in other critical communication systems.
US and European officials have warned that cyberweapons are often unpredictable, and the sprawling disruption caused by the Viasat hack showed how quickly a cyberattack can spread beyond its targets. In 2017, a Russian cyberattack in Ukraine, called NotPetya, quickly spread around the world, disrupting the operations of Maersk, the Danish shipping conglomerate, and other major companies.
Like other critical infrastructure attacks, such as the Colonial Pipeline hack in 2021, the Viasat hack exposed a weak point in an essential service that was being operated by Russian hackers with little technical sophistication. The colonial pipeline attack led to the only face-to-face meeting between President Biden and Russian President Vladimir V. Putin, in Geneva last June. During that meeting, Mr. Biden warned Mr. Putin against ransomware or other attacks on critical US infrastructure. But the Viasat attack, although directed against an American company, did not hit American shores.
Officials in the United States and Ukraine have long believed that Russia was responsible for the cyberattack on Viasat, but did not officially “attribute” the incident to Russia. While US officials reached their conclusions long ago, they wanted European nations to take the lead, as the attack had significant repercussions in Europe but not the United States.
Statements released on Tuesday did not name a particular Russian-sponsored hacking group to have orchestrated the attack, an unusual omission as the United States has regularly revealed information about the specific intelligence services responsible for the attacks, in part to demonstrate their visibility in the Russian government. .
“We have and will continue to work closely with law enforcement and relevant government authorities in the ongoing investigation,” Viasat spokesman Dan Bleier said. Mandiant, the cybersecurity firm hired by Viasat to investigate the matter, declined to comment on its findings.
But researchers from cybersecurity firm SentinelOne believed the Viasat hack was likely the work of the GRU, Russia’s military intelligence unit. The malware used in the attack, known as AcidRain, shared significant similarities with other malware previously used by the GRU, SentinelOne researchers said.
Unlike its predecessor, the malware known as VPNFilter and designed to destroy specific computer systems, AcidRain was created as a versatile tool that could easily be used against a wide variety of targets, the researchers said. In 2018, the Department of Justice and the Federal Bureau of Investigation said that the Russian GRU was responsible for creating the VPNFilter malware.
The AcidRain malware is “a very generic solution, in the scariest sense of the word,” said Juan Andres Guerrero-Saade, senior threat researcher at SentinelOne. “They can take this tomorrow and if they want to launch a supply chain attack against routers or modems in the United States, AcidRain would work.”
US officials have warned that Russia could carry out a cyberattack on US critical infrastructure and urged companies to strengthen their online defenses. The United States has also helped Ukraine detect and respond to Russian cyberattacks, the State Department said.
“As nations have pledged to uphold the rules-based international order in cyberspace, the United States and our allies and partners are taking steps to defend against Russia’s irresponsible actions,” the secretary said. of State Antony J. Blinken, noting that the United States provides satellite phones, data terminals and other connectivity equipment to Ukrainian government officials and critical infrastructure operators.
The UK said it would also continue to help Ukraine repel cyberattacks. “We will continue to expose Russia’s malign behavior and unprovoked aggression on land, at sea and in cyberspace, and ensure it faces serious consequences,” said Liz Truss, UK Business Secretary. foreign.
“All countries must unite their efforts to stop the aggressor, to make it impossible for him to continue attacking and be held accountable for his actions,” a spokesman for Ukraine’s security and intelligence services said. in a statement on the attribution of the Viasat hack. in Russia. “Only sanctions, coordinated activity, raising awareness among public institutions, businesses and citizens can help us achieve this goal and truly achieve peace in cyberspace.”