EXCLUSIVE-US spy agency investigates satellite internet sabotage during Russian invasion

By James Pearson, Raphael Satter, Christopher Bing, and Joel Shechtman

(Reuters) – Western intelligence agencies are investigating a cyber attack by unknown hackers that disrupted broadband internet access in Ukraine in conjunction with the Russian invasion, three people with direct knowledge of the incident said.

Analysts from the US National Security Agency, French state cybersecurity organization ANSSI, and Ukrainian intelligence are assessing whether remote sabotage of a satellite Internet provider service is the work of Russian state-backed hackers preparing for the battlefield by trying to cut communications.

The digital raid on the satellite service began on February 24 between 5 a.m. and 9 a.m., just as Russian forces began entering and firing missiles, striking major Ukrainian cities including the capital, Kyiv.

The consequences are still being investigated, but the satellite modems of tens of thousands of customers in Europe have stopped working, according to an official at US telecoms company Viasat, which owns the affected network.

Hackers have disabled modems that connect to Viasat Inc’s KA-SAT satellite, which provides Internet access to some customers in Europe, including Ukraine. After more than two weeks, sellers told Reuters, some remained offline.

What appears to be one of the most significant wartime cyberattacks publicly disclosed to date has intrigued Western intelligence because Physat acts as a defense contractor for both the United States and several allies.

Government contracts reviewed by Reuters show that KA-SAT provided Internet connectivity to Ukrainian army and police units.

Pablo Brewer, a former technician for the US Special Operations Command, or SOCOM, said cutting off satellite internet could hamper Ukraine’s ability to fight Russian forces.

“Traditional terrestrial radios only reach so far,” Brewer said. “If you’re using modern smart systems, smart weapons, and you’re trying to do combined arms maneuvers, then you have to rely on these satellites.”

The Russian Embassy in Washington did not immediately respond with a letter seeking comment. Moscow has repeatedly rejected allegations of its participation in cyber attacks.

Russian soldiers besieged Ukrainian cities in what the Kremlin called a “de-Nazification” operation that the West denounced as an unprovoked attack and led to tough sanctions against Moscow as punishment.

Modem turned on

Vyasat said in a statement that the outage experienced by customers in Ukraine and elsewhere was the result of a “deliberate, isolated, and external cyber event” but did not yet provide a detailed, general explanation of what happened.

“The network is stable and we are restoring service and activating stations as quickly as possible,” company spokesperson Chris Phillips said in an email, adding that the company prioritizes “critical infrastructure and humanitarian assistance.”

The affected modems appear to be completely out of order, according to Jaroslav Strytke, who runs the Czech telecommunications company INTV. He said the four status lights on SurfBeam 2 curved modems usually indicate if they’re connected to the Internet. After the attack, the lights on Viasat devices did not turn on at all.

A Visat official said that a misconfiguration in the “management section” of the satellite network allowed hackers to remotely access modems, disabling them. He said most of the damaged devices would need to be reprogrammed either by an on-site technician or a repair depot and that some would have to be replaced.

A Visa official was not forthcoming about what the Network’s “admin department” referred to and declined to provide further details. KA-SAT and associated ground stations, which Viasat bought last year from European Eutelsat, are still operated by a Eutelsat subsidiary.

Eutelsat referred the questions back to Vyasat.

Physat has hired US cybersecurity firm Mandiant, which specializes in tracking state-sponsored hackers, to investigate the breach, according to two people familiar with the matter.

Spokespeople for the NSA, ANSSI and Mandiant declined to comment.

Vyasat said that government customers who purchased services directly from the company were not affected by the disruption. However, the KA-SAT network is operated by a third party who in turn distributes the service through various distributors.

Over the past several years, Ukraine’s military and security services have purchased several different communications systems operating over the Viasat network, according to contracts published on ProZorro, Ukraine’s transparency platform.

A message seeking comment from the Ukrainian military was not immediately received.

Some internet distributors are still waiting for their devices to be replaced.

Stritecky, the Czech communications director, said he did not blame Vyasat.

He noted that he began work on the morning of the invasion and saw a screen showing regional satellite coverage in the Czech Republic, neighboring Slovakia and Ukraine in red.

“It immediately became clear what had happened,” he said.

(Reporting by James Pearson, Raphael Satter, Christopher Bing and Joel Shecktman; Editing by Chris Sanders and Grant McCall)