{"id":2474,"date":"2023-10-10T16:49:39","date_gmt":"2023-10-10T14:49:39","guid":{"rendered":"https:\/\/www.spacesecurity.info\/an-analysis-of-the-viasat-cyber-attack-with-the-mitre-attck-framework\/"},"modified":"2025-01-13T16:52:42","modified_gmt":"2025-01-13T15:52:42","slug":"an-analysis-of-the-viasat-cyber-attack-with-the-mitre-attck-framework","status":"publish","type":"post","link":"https:\/\/www.spacesecurity.info\/en\/an-analysis-of-the-viasat-cyber-attack-with-the-mitre-attck-framework\/","title":{"rendered":"An analysis of the Viasat cyber attack with the MITRE ATT&CK\u00ae framework"},"content":{"rendered":"

Disclaimer<\/h2>\n

To do this analysis of the Viasat cyber attack, I used the open-source intelligence (1) of the team composed by Nicol\u00f2 Boschetti (Cornell University), Nathaniel Gordon (Johns Hopkins University) and Gregory Falco (Cornell University). In their open-source intelligence, they reconstructed the lifecycle of the attack. They specified that however, without first-hand knowledge of ViaSat\u2019s systems, they cannot be certain about their hypothesis. With their open-source intelligence, they schematized the entire attack lifecycle in a diagram.<\/p>\n

Viasat\u2019s statement (2) on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.<\/p>\n

In a statement disseminated to journalists (3), Viasat confirmed the use of the AcidRain wiper in the February 24th attack against their modems.<\/p>\n

At the DefCon 31, Mark Colaluca and Nick Saunders from Viasat presented a talk named “Defending KA-SAT<\/a>“. During this talk, they argued not to believe everything that you can read on the internet. It’s often simply inaccurate. They told that there is no evidence or proof of the claims. There is no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. Regarding, the possibility that wipermalware was deployed and erased the hard drives of the modems, they answered that modems don’t have hard drives.<\/p>\n

At the Black Hat USA 2023, Mark Colaluca , Craig Miller , Nick Saunders , Michael Sutton , Kristina Walter from Viasat presented a talk named “Lessons Learned from the KA-SAT Cyberattack: Response, Mitigation and Information Sharing<\/a>“. This presentation will provide the most detailed public presentation of the KA-SAT event. Viasat will share the story of how it responded and performed a rapid forensic on several impacted terminals. This presentation will explain details around the forensic analysis that have not previously been publicly shared by Viasat, as well as the process of reverse engineering the malicious toolkit to verify it would produce the observed flash memory effects. Both Viasat and NSA will offer their lessons learned from the cyberattack and advise on how commercial and government organizations can follow this model to partner both in response to and preparation for future attacks.<\/p>\n

Introduction<\/h2>\n

In this article, we will go through the Viasat cyber attack that occured on 24 February, 2022. The goal is to do a modelisation of this attack based on the MITRE ATT&CK framework.<\/p>\n

The first question will be to explain why to use the MITRE ATT&CK framework to do this analysis while there are others frameworks and methodologies that can be used for the space sector.<\/p>\n

The next work will be to identify Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK matrix that have been used by the hackers during the Viasat attack. To learn more about the MITRE ATT&CK framework, you can go to this article<\/a> about the ATT&Ck v13 release.<\/p>\n

Once TTP identified, we will map the TTPs on the ATT&CK Navigator<\/a> in order to have the complete attack chain as a cyber kill chain.<\/p>\n

About the Viasat hack in brief<\/h2>\n

The Viasat hack was a cyberattack on American communications company Viasat affecting their KA-SAT network, on 24 February, 2022.<\/p>\n

Thousands of Viasat modems got hacked by a “deliberate … cyber event”. Thousands of customers in Europe have been without internet for a month since. During the same time, remote control of 5,800 wind turbines belonging to Enercon in Central Europe was affected.<\/p>\n

According to Viasat, the attacker used a poorly configured virtual private network appliance to gain access to the trusted management part of the KA-SAT network. The attackers then issued commands to overwrite part of the flash memory in modems, making them unable to access the network, but not permanently damaged. The satellite itself and its ground infrastructure were not directly affected.<\/p>\n

About Viasat<\/h2>\n

\"\"<\/a><\/p>\n

Viasat is an American communications company based in Carlsbad, California, with additional operations across the United States and worldwide. Viasat is a provider of high-speed satellite broadband services and secure networking systems covering military and commercial markets<\/p>\n

Which framework using ?<\/h2>\n

The first question is which framework to use to do this analysis ? At this time, there are 5 frameworks and methodologies that can be used for the space sector :<\/p>\n