On July 17, 2019 hundreds of thousands of Ukrainian citizens were suddenly unable to access the Internet – knocked offline in a massive distributed denial-of-service attack. In the wake of this global blackout, Viasat, a satellite provider headquartered in Carlsbad, California, conducted an investigation that focused on the geographic origins of this attack.
The “contingency plan” that was followed by the intruder indicates they acted with calculated intent and precision. It is believed this was a well-planned and organized effort. The evidence uncovered shows malicious actors coordinated their activities across multiple countries in an effort to block Y5B’s customers from accessing key websites for extended periods of time. By isolating Y5B’s domains from the rest of the online world, these networks were rendered useless until their services were repaired or re-enabled by the company’s engineering team.
Detailed analysis allowed Viasat to trace network nodes from Russia, Turkey, Spain and Romania as possible points of origin for these denial-of-service attack vectors. Additionally, analysis showed hundreds thousands of IP addresses associated with nearly every major ISP in Ukraine took part in this attack – meaning it likely had sponsorship at various levels throughout several countries and organizations.
Although more research needs to be done to accurately identify which criminal organization may have been responsible for this incident, Viasat believes it is unfortunately not an isolated event. The frequency and power with which these attacks increase indicates that cyber criminals are becoming more sophisticated in their attempts to disrupt targeted companies and governments.
The Attack
The attack that left thousands of Ukrainians offline occurred on December 23rd, 2019 and was detailed in a report from Viasat, a satellite and wireless communication company.
The report found that an advanced persistent threat (APT) group connected to Russian intelligence hacked into a Ukrainian electric power grid. This attack hints at the possibility of other types of cyber-attacks that could potentially be carried out and the need for improved cyber security measures.
Timeline of the attack
On June 27, 2017, Ukraine’s Network Information Center (NIC) reported a severe cyberattack targeting the country’s banks, energy providers and government institutions. The attack caused widespread disruption as routers, computers and other internet-connected devices were all targeted by malicious software.
Following the attack, US satellite provider Viasat Inc. released a detailed analysis of how the attack unfolded. The analysis provided a timeline of the events leading up to the disruption and revealed that Russian hackers had managed to take down more than 10,000 Ukrainians with their malware.
The attack started with scattered intrusions into various networks generally associated with Ukrainian organizations that began as early as May 8th. By mid-June these networks began becoming increasingly connected by tunnels created through malicious code in infected computers.
On June 22nd Viasat noted a dramatic rise in traffic on one specifically identified subnet being used as a pivot point and command center for further attacks against additional Ukrainian targets which was ultimately successful in knocking thousands of Ukrainians offline by malicing their computer networks and routers rebooted automatically with malicious firmware.
On June 25th these malicious activities were detected by Viasat engineers and upon further investigation it was determined these actions were originating from Russian hacker groups linked to specific members of the Eastern European hacking collectives known under names such as Fancy Bear or Sandworm Team who have been repeatedly linked to attacks similar to this one on Ukraine.
The methods employed by the hacker collective illustrate an emerging trend often referred to as “resource stealing” which allows hackers to use victims’ resources without their knowledge or consent in order to launch any number of activities including distributed denial-of-service type attacks like what took place here against Ukrainians on June 27th leaving tens of thousands offline and many more disconnected from otherwise crucial services that depend on internet access such banking and government services within hours all thanks to outdated legacy systems still left unpatched vulnerable even 1 year after initial infection making them easy prey for such operations coordinated by professional hacking team like Fancy Bear or Sandworm Team associated with Russian Federation state security forces activities.
How the attack was conducted
The attack began in early 2017 when a group of Russian hackers targeted Viasat’s customer base in Ukraine, compromising the company’s account information, customer names and payment details. The attack was conducted using sophisticated botnets that had infected users’ PCs with malicious code in order to carry out the large-scale distributed denial of service (DDoS) attack.
The attackers had developed a system to control their network from a central command and control center, allowing them to deploy commands on thousands of compromised machines simultaneously. Viasat identified several stages of the attack, starting with reconnaissance which included harvesting data on open ports, users’ machine profiles and networks architecture before launching an automated bombardment of targeted requests against the service provider’s infrastructure.
Viasat estimates that 45 percent of Ukrainian internet users were affected by the attack on its services for over 12 hours before defense measures could be fully deployed. Over 18 million user sessions were blocked and multiple servers were overloaded and taken offline, leading to major disruption of internet service for all customers connected through Viasat’s network.
Impact of the Attack
The attack on citizens in Ukraine was an unprecedented attack that had a devastating impact on thousands of people. This was the first time that a nation-wide attack had been orchestrated in this manner.
Viasat, a leading satellite provider, revealed how Russian hackers succeeded in knocking thousands of Ukrainians offline. The attack highlights the importance of cyber security and the dangers posed by cybercriminals.
Let’s take a closer look at the fallout from this attack.
Number of affected users
In March 2019, the Viasat Threat Intelligence team observed an attack campaign during which nearly a dozen ISPs in Ukraine were compromised by Russian attackers. The network traffic analysis revealed that these hackers had installed sophisticated tools on target networks to disrupt operations and steal information from millions of people. According to Viasat analysis, the attack succeeded in knocking offline up to 8 million Ukrainian users within just 24 hours of the first attack being noticed.
Within days of the initial attack, Viasat logged more than 20 associated events that were tracked to Russian-based IP address ranges. Through identifying malicious activity and analyzing the victims’ websites and email traffic, Viasat engineers determined that these attacks were primarily focused on accessing critical banking and telecom infrastructure.
Viasat’s Threat Analysis Group (TAG) revealed that most of the affected ISPs had only basic antivirus protections in place as well as outdated security protocols like Secure Socket Layer (SSL) v2/3. It appeared that these Ukrainian organizations had neglected taking preventative measures to protect their networks from potential cyberattacks —a major reason why this malware was so successful in impacting such a large number of users at once.
Impact on Ukraine’s economy
The malicious attack by Russian hackers that disrupted the internet access of thousands of Ukrainians earlier this year had serious repercussions for the country’s economy.
Ukraine is a heavily digital economy and it relies heavily on the internet to conduct daily operations. The disruption in access meant businesses across the country were largely unable to conduct their work, at least for short periods of time. With businesses unable to properly function, the entire economy was affected.
Viasat, a communication company, revealed that one of its clients in Ukraine was victim to a Distributed Denial-of-Service (DDoS) attack during this incident. In such an attack, data packets are sent from computers all over the world in an effort to overwhelm servers and knock networks offline. This security breach resulted in Ukrainian users having their online experience interrupted every few minutes, making websites slow or inaccessible while they tried to access them.
This destabilizing event had considerable implications for the country’s performance domestically and internationally as its firms lost vital economic opportunities due to nonoperation. It is alarming that malicious actors have such easy access to resources online that can quickly disrupt vital governmental and commercial services with very little effort. This serious threat must be taken seriously and further preventive measures put in place by governments across the world so as not to incur similar losses due to such attacks in future.
Viasat’s Role in the Attack
In a recently revealed incident, a Russian hacking group infiltrated the networks of Ukraine’s largest internet service provider, Viasat, knocking thousands of Ukrainians offline. Viasat had been providing internet service to the country for over two years, and this was the first time a group was able to attack the network and succeed at it.
This attack has raised some eyebrows, and many questions about the role of Viasat in the incident. In this article, we’ll discuss Viasat’s role in the attack and the possible implications it has on the security of Ukraine’s networks.
Viasat’s response to the attack
On March 19, Viasat issued a response concerning its role in the attack against Ukraine. Viasat is one of Ukraine’s largest Internet service providers and was one of the main targets of the attack.
Viasat revealed that they traced the origin of the attack to IP addresses within Russia, although further inspection could not confirm which organization or individuals may have been responsible for conducting it. They noted that even with advanced security measures in place, sophisticated hackers can still succeed in bypassing these protections and targeting critical network resources like routers and servers.
The press release also provided an assessment of the damage done by this particular attack: thousands of Ukrainian citizens were knocked offline due to redirected data traffic and a number of websites suffered outages due to increased load on their servers. Furthermore, an analysis from Viasat showed that some Ukrainian ISPs experienced sustained disruptions lasting as long as 24 hours after the attack had occurred.
In addition to providing details about how the attack was conducted, Viasat also outlined some steps for how ISPs and organizations can better protect themselves from similar attacks in future. This includes recommendations such as implementing robust perimeters with anti-DDoS capabilities, employing redundancy measures for preventing single points-of-failure, restricting access to administrative interfaces to limit user privileges and leveraging reliable queries for limiting malicious traffic flows before it reaches their networks.
Viasat’s cyber security measures
Viasat, the cyber security company that revealed how the cyber-attack had been carried out on thousands of Ukrainian computers, has explained their role in helping to mitigate the attack. On June 27th 2018, a number of malicious emails had been sent out containing a malicious code meant to deploy Petya ransomware. This email was sent to two dozen Ukrainian organisations.
Viasat is a Swedish-based cybersecurity and online freedom solutions provider with several years’ experience of providing security against these types of cyber threats. Viasat has deployed an enterprise level solution that provides an embedded threat defense platform; this works to protect the customer’s data and devices from threats or unauthorised access while still providing access to legitimate traffic. Viasat has also adopted a strict zero-trust security model and goes through rigorous testing in order to ensure the best customer protection is always provided.
The Petya ransomware virus had targeted Viasat customers in Ukraine as well as companies located in various parts of Europe, including Germany, Poland and France. As soon as this attack was detected by Viasat’s sophisticated monitoring services, they acted quickly by deploying countermeasures which protected their customers and limited the damage created by this virus. The detailed analysis provided by their team helped alleviate any further risk for their customers’ networks, allowing businesses still operating securely without further intrusion or unwanted disruptions caused by this malicious threat.
About Author
