Just an hour before Russian troops invaded Ukraine, Russian government hackers targeted the American satellite company Viasat, officials from the US, EU, and UK said today.
The operation resulted in an immediate and significant loss of communication in the earliest days of the war for the Ukrainian military, which relied on Viasat’s services for command and control of the country’s armed forces.
The Viasat cyberattack is the biggest known hack of the war, says Juan Andres Guerrero-Saade, a threat researcher at the cybersecurity firm SentinelOne “because it’s the most concerted effort to disable Ukrainian military capabilities.” It is also one of the first real-world examples of how cyberattacks can be targeted and timed to amplify military forces on the ground by disrupting and even destroying the technology used by enemy forces.
The attack, on February 24, launched destructive “wiper” malware called AcidRain against Viasat modems and routers, quickly erasing all the data on the system. The machines then rebooted and were permanently disabled. Thousands of terminals were effectively destroyed in this way.
Guerrero-Saade, who has been at the forefront of research into AcidRain, says that where previous malware used by the Russians was narrowly targeted, AcidRaid is more of an all-purpose weapon.
“What’s massively concerning about AcidRaid is that they’ve taken all the safety checks off,” he says. “With previous wipers, the Russians were careful to only execute on specific devices. Now those safety checks are gone, and they are brute-forcing. They have a capability they can reuse. The question is, what supply-chain attack will we see next?”
The attack has turned out to be typical of the “hybrid” war strategy employed by Moscow, say experts. It was launched in concert with the invasion on the ground. That exact kind of coordination between Russian cyber operations and military forces has been seen at least six times, according to research from Microsoft, underlining the emerging role of cyber in modern warfare.
“Russia’s coordinated and destructive cyberattack before the invasion of Ukraine shows that cyberattacks are used actively and strategically in modern-day warfare, even if the threat and consequences of a cyberattack are not always visible for the public,” the Danish defense minister, Morten Bødskov, said in a statement. “The cyber threat is constant and evolving. Cyberattacks can do great damage to our critical infrastructure, with fatal consequences.”
In this instance, the damage spilled over from Ukraine to affect thousands of internet users and internet-connected wind farms in central Europe. And the implications are even bigger than that: Viasat works with the US military and its partners around the world.
“Obviously, the Russians messed it up,” says Guerrero-Saade. “I don’t think they meant to have so much splash damage and get the European Union involved. They gave the EU pretext to react by having 5,800 German wind turbines and others around the EU impacted.”
Just a few hours before AcidRain began its destructive work against Viasat, Russian hackers used another wiper, called HermeticWiper, against Ukrainian government computers. The playbook was eerily similar, except instead of satellite communications, the targets were Windows machines on networks that, in those early hours of the invasion, would be important for the government in Kyiv to mount an effective resistance.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
How effective these attacks have been remains an open question. A senior Ukraine official said the Viasat hack resulted in a “huge loss in communications in the very beginning of war” but offered no detail.
Cyber is supporting military operations, but it’ll be a long time before we get a full view of all of the operations in play during this war. It’s clear from the way AcidRain was built, though, that we will likely see it in action again.