Enlarge image
Viasat offers satellite internet: »Devices sabotaged in Central/Eastern Europe«
Photo: DADO RUVIC / REUTERS
The hacker attack on the satellite network provider Viasat was apparently a targeted cyber attack.
The company offers its customers fast, satellite-based Internet connections – including in the Ukraine.
Since the beginning of the war, the provider had to contend with significant failures.
A "connection to the Ukraine conflict" is suspected, according to an internal paper by the federal government that SPIEGEL has seen.
Representatives of several German authorities had previously exchanged views with the listed US satellite operator.
"Viasat" reported that "in the Central/Eastern Europe segment, the terminals of commercial customers were sabotaged."
Publicly, Viasat had so far only said that a "cyber event" was suspected to be behind the failures.
The hacking attack meant that numerous customers of the KA-SAT service operated by Viasat no longer had internet access.
According to the government paper, the hackers took the decisive step in their attack on the morning of the Russian attack on Ukraine.
At 5 a.m. on February 24, the attackers activated a faulty update, causing KA-SAT customers to lose their network access.
Consequences also felt in Germany
Because of this "coincidence in time" among other things, the German government now suspects a connection with the war in Ukraine.
According to the note, there is another reason for this: the attacked KA-SAT segment in Central and Eastern Europe is being used intensively by the Ukrainian military.
The consequences of the attack were also felt in Germany.
At least 3000 wind turbines, which are connected to the grid via the satellite provider and can normally be maintained remotely, were suddenly no longer accessible - although they could continue to run and generate electricity.
The federal government now rates the attack in the paper as a “cyber collateral damage case”.
Further effects on the critical infrastructure or even the security of supply in Germany are currently not observed.
The letter does not contain any information about the possible background or origin of the hackers.
The company itself is still doing "causal research," they say.
How seriously the federal government takes the incident is also shown by who took part in the conversation with Viasat last Thursday.
In addition to the Federal Network Agency, which is responsible for communication networks, and the Federal Office for Information Security, which is responsible for IT security, the Office for the Protection of the Constitution was also represented.
Attack path points to experienced hackers
The approach of spreading malware via software updates speaks for professional perpetrators just as much as the strategic goal of the attack - satellite Internet providers have also been victims of complex cyber operations in the past.
One of the most far-reaching cyber attacks to date began in 2017 with manipulated software updates and also related to Ukraine.
At that time, the NotPetya malware initially spread via updates to the Ukrainian accounting software MeDoc.
The malicious code quickly multiplied through the company networks of international corporations beyond the national borders of Ukraine and affected companies such as the logistics giant Maersk, the pharmaceutical group Merck and the Hamburg company Beiersdorf.
The total damages caused by NotPetya amounted to more than ten billion dollars.
A group called “Sandworm”, which is assigned to the Russian military intelligence service GRU, is considered to be the perpetrator of the attack at the time.
In the current case, a researcher at the Bundeswehr University in Munich spoke up.
The affected KA-SAT offer, which also supplies Kyiv via so-called spot beams, is connected to eight gateway stations on earth - if one of these gateways fails due to a cyber attack, all beams connected to it are affected: »And so it may be that the Russians actually wanted to cut the internet connections in the Ukraine, but they also disconnected the wind turbines in Central Europe from the internet.«
Viasat is not the only satellite internet provider currently serving Ukraine and encountering problems.
Elon Musk activated and advertised his “Starlink” service for Ukraine two days after the start of the war – at least one truckload of the necessary terminals has already been delivered.
Some of these terminals near conflict zones were disrupted for a few hours, Musk said in a tweet on Saturday – the priority is now on the “cyber defense” of their own offer and the fight against intentional signal disruptions.
Berlin sees "increased risk"
In Berlin, meanwhile, concerns are growing that Germany could also become a direct target of Russian cyber attacks.
The Federal Office for the Protection of the Constitution warns that there is an “increased risk of cyber attacks against German authorities” as a reaction to the sanctions against Russia and the arms deliveries to Ukraine.
According to a paper by the authority, the Russian services had the ability to "substantially and permanently sabotage" both critical infrastructure and military facilities and political operations.
Federal Interior Minister Nancy Faeser (SPD) wants to expand cyber defense in response to the Russian attack on Ukraine.
"We have to think more about countermeasures in the event of cyber attacks," Faeser told SPIEGEL.
It is about “specific measures to identify perpetrators and criminal structures abroad, to uncover their cover-up measures and to prevent attacks from being carried out”.
hpp, Rome, wow