Global spy agencies are reportedly investigating what appears to be a late-February cyberattack on satellite internet provider Viasat that may change the narrative on whether Russia's Ukrainian invasion was light on cyberwar.
Viasat's KA-SAT internet connectivity abruptly plummeted to around 20% its typical throughput in Europe on Feb. 24 — the date of the Ukrainian invasion — according to Netblocks. Modems that connect to the satellite internet service have ceased to function. Internet connectivity has not been restored.
Viasat is a contractor for the Ukrainian military and several other Western militaries, including the U.S., providing connectivity for smart weapons systems and other battlefield needs.
Reuters reported Friday that the NSA, the French cybersecurity service ANSSI and Ukrainian intelligence were all looking into the outage, with Germany's NDR public broadcasting reporting the German BSI had also commenced investigations and issued at least one internal report including an interview with a German ISP that believed the attacks were caused by malicious firmware.
Throughout the Ukrainian conflict, the working assumption among experts was that Russia had not unleashed a cyberattack that substantially impacted infrastructure or caused massive spillover. While there has been no formal attribution to Russia, Viasat, with thousands of modems throughout Europe and contracts with NATO militaries, would be both.
Last week, Gen. Paul Nakasone, head of the National Security Agency, issued what retroactively seems like a carefully worded answer at a Senate hearing to a question about the relative lack of cyberwarfare during the war in Ukraine, saying that the U.S. was aware of "three or four" cyberattacks in Ukraine. He did not mention which attacks those were, though three or four candidates other than Viasat were already known to the public.
Ukraine has seen a number of attacks since the build-up to the war. There have been three new wipers and a trojan discovered throughout Ukraine that appeared to be tied to the conflict. Microsoft said that the trojan was extremely targeted, with no evidence of spillover. One of the three wipers infected a limited number of victims in Lithuania and Latvia, but was almost entirely seen in Ukraine. Ukraine has faced two rounds of DDoS and SMS spam campaigns designed to destabilize trust in banks.
Those attacks have not been attributed to Russia. But even if they all turned out to be Russian, those attacks would be mild even for Russia's treatment of Ukraine during peacetime. Russia caused blackouts in Ukraine during peacetime in 2015 and 2016, and launched the NotPetya wiper in 2017, intending to rile Ukranians, but ultimately causing billions of dollars in global spillover damage.
At the hearing last week, Nakasone said the U.S. was staying on the lookout for further attacks.
"We remain vigilant," he told a Senate hearing. "We're 15 days into this conflict. By no means are we sitting back and taking this casually, we are watching every single day for any type of unusual activity."