WASHINGTON — A cyberattack that knocked out satellite communications in Ukraine in the hours before the Feb. 24 invasion was the work of the Russian government, the United States and European countries said Tuesday, officially blaming an attack by Pentagon officials. and private sector as it revealed new vulnerabilities in global communications systems.
In a coordinated series of statements, the governments blamed Moscow but did not explicitly name the organization that made the sophisticated attempt to obfuscate Ukrainian communications. But US officials, who spoke on condition of anonymity about the details of the findings, said it was Russian military intelligence, the GRU — the same group responsible for the 2016 Democratic National Committee hack and a series of attacks on the US and Ukraine.
“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which was also an integral part of its illegal and unwarranted invasion of Ukraine,” Josep Borrell Fontelles, the top diplomat of the European Union, said in a statement. “Cyber attacks targeting Ukraine, including against critical infrastructure, can spread to other countries and cause systemic effects that endanger the security of European citizens.”
The attack targeted a system operated by Viasat, a California company that provides high-speed satellite communications services — and was heavily used by the Ukrainian government. The attack came a few weeks after a number of Ukrainian government websites were hit with “eraser” software that destroys data.
The Viasat attack appeared designed to disrupt Ukraine’s command and control of its forces during the critical early hours of the Russian invasion, US and European officials said. The hack also disconnected thousands of citizens in Ukraine and across Europe. It even thwarted the operation of thousands of wind turbines in Germany that relied on Viasat’s technology to monitor conditions and control the turbine network.
Viasat immediately launched an investigation and engaged the cybersecurity firm Mandiant to write a report. Although Viasat published the first conclusions in March, the deeper investigations have not been made public.
Nevertheless, those initial conclusions were striking: to take out the satellites in space, the hackers never had to attack the satellites themselves. Instead, they focused on ground modems, the devices that communicated with the satellites. A senior government official said the vulnerability of those systems was “a wake-up call,” raising concerns among the Pentagon and US intelligence agencies, who fear that Russia or China could exploit similar vulnerabilities in other critical communications systems.
US and European officials have warned that cyber weapons are often unpredictable, and the sprawling disruptions caused by the Viasat hack have shown how quickly a cyber attack can go beyond its intended targets. In 2017, a Russian cyber-attack in Ukraine called NotPetya quickly spread around the world, disrupting the operations of Maersk, the Danish shipping conglomerate and other major companies.
Like other attacks on critical infrastructure, such as the Colonial Pipeline hack in 2021, the Viasat hack revealed a weakness in an essential service that was exploited by Russian hackers without much technical sophistication. The attack on the colonial pipeline led to the only face-to-face meeting between President Biden and President Vladimir V. Putin of Russia last June in Geneva. At that meeting, Mr. Biden warned Mr. Putin about ransomware or other attacks on critical US infrastructure. But the Viasat attack, which targeted a US company, did not hit US shores.
Officials in the United States and Ukraine had long believed Russia was responsible for the cyber attack on Viasat, but had not formally “attributed” the incident to Russia. While US officials long ago came to their conclusions, they wanted European countries to lead the way, as the attack had significant resonance in Europe, but not the United States.
The statements released Tuesday stopped at naming a particular Russian-sponsored hacking group for orchestrating the attack, an unusual omission as the United States has routinely released information about the specific intelligence agencies responsible for attacks, in part to increase their visibility. in the Russian government.
“We have and will continue to work closely with relevant law enforcement and government agencies as part of the ongoing investigation,” said Dan Bleier, a Viasat spokesperson. Mandiant, the cybersecurity firm hired by Viasat to investigate the matter, declined to comment on the findings.
But researchers at the cybersecurity firm SentinelOne believed the Viasat hack was likely the work of the GRU, Russia’s military intelligence unit. The malware used in the attack, known as AcidRain, showed significant similarities to other malware previously used by the GRU, SentinelOne researchers said.
Unlike its predecessor malware, known as VPNFilter and built to destroy specific computer systems, AcidRain was created as a multipurpose tool that can be easily used against a wide variety of targets, researchers said. In 2018, the Justice Department and the Federal Bureau of Investigation said that Russia’s GRU was responsible for creating the VPNFilter malware.
The AcidRain malware is “a very generic solution, in the narrowest sense of the word,” said Juan Andres Guerrero-Saade, one of SentinelOne’s principal threat researchers. “They can take this tomorrow and if they want to do a supply chain attack on routers or modems in the US, AcidRain would work.”
US officials have warned that Russia could carry out a cyber attack on critical US infrastructure and have urged companies to strengthen their online defenses. The US has also helped Ukraine detect and respond to Russian cyberattacks, the State Department said.
“As countries work to maintain the rules-based international order in cyberspace, the United States and its allies and partners are taking steps to defend against Russia’s irresponsible actions,” said Secretary of State Antony J. Blinken, noting that the United States provides satellite telephones, data terminals and other connectivity equipment for Ukrainian government officials and critical infrastructure operators.
The UK said it would also continue to help Ukraine fend off cyber-attacks. “We will continue to denounce Russia’s malicious behavior and unprovoked aggression across land, sea and cyberspace, and make sure it suffers dire consequences,” British Foreign Secretary Liz Truss said.
“All countries must join forces to stop the aggressor, to make it impossible for them to continue attacking and be held accountable for their actions,” a spokesman for Ukraine’s security and intelligence service said in a statement about the attribution. of the Viasat hack. To Russia. “Only sanctions, coordinated activity, awareness of public institutions, businesses and citizens can help us achieve this goal and achieve true peace in cyberspace.”