US, UK and EU blame Russia for ‘unacceptable’ Viasat cyberattack

The U.S., U.K. and EU have formally blamed the Russian government for the February cyberattack against satellite communications provider Viasat, which triggered outages across central and eastern Europe hours before Russia launched its invasion of Ukraine.

“The European Union and its member states, together with its international partners, strongly condemn the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the satellite KA-SAT network, operated by Viasat,” the EU said in the joint statement attributing the attack to Russia.

While the primary target of the attack is believed to have been the Ukrainian military, which relies heavily on satellite communications, the February 24 attack also impacted internet service for thousands of Viasat customers in Ukraine and tens of thousands of customers across Europe. The attack also disconnected remote access to about 5,800 wind turbines across Germany as they relied on Viasat routers for remote monitoring and control.

The attack on Viasat’s network has not yet been fully resolved months later. Viasat says the cyberattack also damaged tens of thousands of terminals that cannot be repaired and said in its most recent analysis of the incident that it had so far shipped almost 30,000 routers to customers in an effort to bring them back online.

“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” the EU continued, adding that the bloc is “considering further steps to prevent, discourage, deter and respond to such malicious behavior.”

In its own statement, the U.K.’s National Cyber Security Centre said Russia’s military intelligence was “almost certainly” behind the defacements of Ukrainian government websites in January and the deployment of Whispergate destructive malware prior to the invasion. The U.S. has also observed Russian military cyber operators deploying wiper malware, including WhisperGate, on the Ukrainian government and private sector networks.

The formal attribution of the Viasat cyberattack comes weeks after SentinelOne researchers said the incident was likely the result of a new strain of Russian wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems. Viasat confirmed to TechCrunch that the findings were “consistent” with its own analysis of the attack.

SentinelLabs noted similarities between AcidRain and the VPNFilter malware, which the FBI in 2018 attributed to Russian military intelligence, known as “Fancy Bear” — or APT28 — hacking group. More recently, the U.S. National Security Agency and CISA tied the activity to Sandworm, which has been accused of a five-year spree of attacks, including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide. Both APT28 and Sandworm have been linked to Russia’s military intelligence agency, the GRU.