Invisible Battlefields: Analyzing the Viasat Attack and its Broader Implications
Publicado en línea: 24 jun 2025
Páginas: 59 - 67
DOI: https://doi.org/10.2478/bsaft-2025-0007
Palabras clave
© 2025 Arsheen Kazi et al., published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.
War has been a constant part of human life. From prehistoric times mankind has fought in battle physically using guns and armor. However, now in the modern world, running full-throttle on the battlefield is not the only means to wage war. Fighting covertly by invading the cyberspace of a country and breaking it invisibly from within is a key factor in emerging as victorious in the war. This invisible battlefield is known as cyber warfare, it is a series of cyber-attacks against a country which is usually a nation-sponsored attack.
This type of cyber-attack has some grave repercussions that can cause harm to the victim country's civil or civic infrastructure. Distributed Denial of Service (DDoS), hacking and malware are the different types of attacks that are usually used for cyber warfare (Slonopas, 2024).
The advent of the internet has resulted in all critical operations becoming increasingly digitalized, which makes them exceedingly vulnerable, these include financial systems, healthcare, power grids and communication systems. Besides these critical components, satellite communication (SATCOM) systems play a pivotal role in all the new military and civilian operations. Some of these include robust and secure military communications, GPS navigation, gathering of intelligence, weather monitoring, and providing internet access to remote locations.
All countries rely heavily on satellites for coordination during the battle and guidance of missiles, along with some surveillance in real-time. This makes them a prime target for cyberattacks. In a conflict when the stakes are very high for both parties, disrupting the country's satellite networks can pose some severe implications to the transportation systems, supply chain systems, and telecommunication network. These vulnerabilities represent the complex nature of the cyber-attacks on satellites and how they can be used with ease for modern warfare (Redazione, 2024).
In the early morning of February 24, 2022, just an hour before Russia commenced its invasion of Ukraine, a significant cyber-attack took place on the Viasat's KA-SAT satellite infrastructure, specifically their modems were targeted. This resulted in disruption of service all over Ukraine and different areas of Europe. On February 23, a day before the attack, the attackers exploited a virtual private network (VPN) to gain access to the servers that control the satellite's internal network. They initially failed in their attempt, but somehow managed to find a credential and then broke into the system.
After gaining unauthorized access the attacker then deployed the AcidRain, a wiper malware, which systematically erased data on approximately 40,000 to 45,000 modems, rendering them inoperable and resulting in massive loss in communications (Vasquez & Groll, 2023; Guerrero-Saade, 2022; Viasat, 2022). There were some grave implications of this attack in different domains such as:
This incident demonstrated how the attackers were able to understand the complexities of satellite communication systems and exploit them for their own geopolitical needs. An attack of such devastating consequences also emphasizes the pressing need for enhanced cybersecurity measures to protect space-based assets. The Viasat attack serves as a stark reminder of the vulnerabilities present in modern communication systems and the potential widespread consequences of their exploitation.
(Source: Author-generated based on Brumfield, 2025)
The timeline of the Viasat cyberattack begins in early February 2022, as geopolitical tensions rose between Russia and Ukraine, several cyberattacks targeted Ukraine's critical infrastructure.
One of the bigger attacks took place on February 23, a day before Russia's invasion of Ukraine wherein a distributed denial-of-service (DDoS) attack disrupted the banking and government websites of Ukraine, likely serving as a trailer which was soon to be followed on by the disruption of the Viasat satellite communication.
On February 24, the AcidRain malware broke thousands of Viasat modems, severely affecting internet connectivity for Ukraine's military, government, and civilians. The impact extended beyond Ukraine between February 25–28, disrupting European infrastructure, including Germany's wind energy sector. By late March, cybersecurity firm SentinelOne identified AcidRain as the primary wiper malware responsible for the attack. On May 10, international bodies, including the European Union, the United States, and the United Kingdom, formally condemned the cyber operation, while attributing it to Russian state actors (Brumfield, 2025).
In any satellite communication system, there are 3 segments: the space segment, the link segment and the ground segment. The ground segment is the heart of satellite communication; it is responsible for all communication that takes place between the user and the satellite. The Russian attackers exploited vulnerabilities in the ground segment to gain access, these included user modems and modem control servers. It is important to note that the attackers did not directly attack the space segment or the satellite itself and still managed to cause massive disruptions (Boschetti et al., 2022).
(Source: Author-generated based on Viasat, 2022)
The figure above explains all the three segments of Visat's network infrastructure and the vulnerabilities that were exploited to gain access to the KA-SAT satellite and eventually the modems.
The Russian attackers exploited the vulnerabilities in the Virtual Private Network (VPN) used by the ground segment of Viasat. The VPN was from a company called Fortinet and was used by Skylogic, the main operator of the KA-SAT satellite network. Fortinet revealed to Skylogic in 2021 that there is a security flaw in their VPN, this security flaw was called Fortigate. This security flaw is what allowed them to bypass all security protocols kept in place and gain unauthorized access (Viasat, 2022; Boschetti et al., 2022). However, nearly 500,000 credentials were stolen and published by a group of hackers, and it is believed that these credentials could have been the one that were used to exploit this vulnerability and gain access if Viasat had not applied the appropriate security patches as recommended by Fortinet (Abrams, 2021).
As soon as the attackers were inside the network, they could access Skylogic's Gateway Earth Stations or the POP (Point of Presence) servers over the internet using the VPN. This unauthorized access allowed the attackers to easily move into the trusted management network, an internal network used for managing and operating the modems for satellite communication called the Surfbeam2 modem (Boschetti et al., 2022).
Once the attackers were able to access the modems, they deployed a wiper malware called AcidRain onto the system, which was designed in such a way that it erased configurations and firmware from tens of thousands of modems. The attackers used the KA-SAT management mechanism in a supply-chain attack to push the wiper which was designed for modems and routers. It could essentially overwrite crucial data in the modem's flash memory. This caused the modems to become inoperable, disrupting all kinds of major communications (Guerrero-Saade, 2022).
Once the attackers had caused the modems to go offline, they simultaneously launched a DoS attack. This prevented legitimate modems from connecting and caused them to drop off the network. Also slowing down any chances for Viasat or Skylogic to employ mitigation strategies (Viasat, 2022).
(Source: Author-generated based on Boschetti et al., 2022)
The figure above illustrates the Viasat cyberattack kill chain, which shows each step from initial reconnaissance to the final step of objectives and execution. The attackers began the process by gathering intelligence by finding vulnerabilities in Viasat's VPN. They then developed a malware called AcidRain, which was designed to target the modems.
Then, the malicious data was delivered with the help of an unpatched Fortinet VPN, thereby exploiting a critical vulnerability to gain access. After they got in, AcidRain was installed on modems, by erasing their memory.
The attackers were able to maintain control of the modems through the VPN, essentially by sending malicious commands. Finally, the attack was able to disrupt satellite communications, affecting both military and civilian services, particularly in Ukraine.
During the initial investigation conducted in March 2022, SentinelLabs attributed the AcidRain malware to Russia, stating that there are several similarities to the 2018 VPN Filter campaign linked to the Russian government (Guerrero-Saade, 2022). Later, on May 10, the European Union and Five Eyes nations including the US formally attributed AcidRain to the Russian Military Intelligence GRU, linking it to similar destructive wipers like WhisperGate that had previously targeted Ukraine. Besides this many European countries also aligned with this attribution, reinforcing the political attribution of cyberattacks (CyberPeaceInstitute, 2022).
The Viasat KA-SAT cyberattack had some severe and widespread consequences. The cyber-attack affected not only Ukraine but also many European countries. The primary impact of the attack would be the disruption of the communication infrastructure which is critical for the smooth functioning of a country's military, civilian and government tasks.
The primary target of the attack was Ukraine's satellite-based communication infrastructure, which played a crucial role in its military operations. By using malware that wiped out thousands of KA-SAT modems, the attack disabled internet access for Ukrainian military units, which greatly affected their ability to coordinate during the early hours of Russia's full-scale invasion on February 24, 2022, and proved to be advantageous to the Russian units (O'Neill, 2022; Foreign & Truss, 2022).
The attack had some devastating effects on the telecommunication systems, threatening both military and civilian operations. Civilian operations that were impacted were not only in Ukraine but spread across to neighboring European nations that shared the Viasat satellite for communication.
There were major internet outages, in France nearly 9000 subscribers of the satellite internet service lost internet, and some claimed that the outages lasted over two weeks. The energy sector in Germany was also gravely affected, with them losing access to over 5800 wind turbines. The attack was also important in understanding how interconnected modern critical infrastructure is in today's world, and how targeting the critical infrastructure of one place could also result in the disabling of work and services in another country (CyberPeaceInstitute, 2022).
The technical and financial impact of the cyber-attack on Viasat was substantial. Viasat had to implement urgent mitigation efforts, which included modem replacements as some modems had long lasting and severe physical damage, they also had to implement new network security reinforcements so that such attacks could not occur again. They have given at least 30,000 new modems which likely resulted in incurring significant costs.
These were some losses that were available in plain sight, in addition to these direct losses, the attack also underscored the broader economic risks associated with cyber threats to critical infrastructure, affecting both the businesses and service providers that are heavily dependent on uninterrupted satellite connectivity to do their day-to-day operations (Viasat, 2022).
The cyber-attack on Viasat's KA-SAT network had some significant geopolitical repercussions. The European Union (EU) condemned the malicious cyber-attack sponsored by the Russian government against Ukraine, emphasizing how the attack facilitated Russia's military aggression by causing communication outages across public authorities, businesses, and users in Ukraine and several EU Member States.
Further in response to the attack, the EU, in collaboration with several other international partners such as Iceland and Norway, considered the different measures and steps that can be taken to prevent and discourage any attacks in the future, drawing attention to the importance to strengthen cyber resilience and enhance security measures, they have done so by providing both financial and political support to Ukraine (European Union (EU), 2022).
Besides the European Union, the US security agency also played an important role by collaborating with Viasat and other satellite providers to protect different satellites from outside threats. After the attack, the NSA issued warnings and mitigation strategies to different satellite communication providers. This entire process took months and resulted in sanctions imposed by the U.S. and European countries in May 2022 on Russia. It is important to note that even though the sanctions were not explicitly tied to the Viasat hack, they were a direct result of the attribution, to burden Russia financially, further showcasing strategic decisions to support Ukraine during the Russian invasion and their disdain against nation-sponsored cyber warfare (Greig, 2023).
The Viasat cyber-attack has served as a critical example of how cyber warfare can be used as a strategic tool in different kinds of geopolitical conflicts. Attacking the crucial satellite communications of Ukraine just an hour before Russia commences their full-blown attack on February 24, 2022, targeted at invading the country, helped in understanding how using cyber-attacks can be used and integrated into the traditional military based strategies.
This attack was not an isolated cybersecurity incident that took place but was rather a very important part of a hybrid warfare approach, where cyberattacks, disinformation, and military aggression are used in a strategic way to destabilize the Ukrainian government (O'Neill, 2022).
The Viasat attack is a classic case of hybrid warfare, which is a type of warfare that combines both conventional and unconventional methods. This means that there is a blend of military operations, cyber warfare, disinformation campaigns, and economic pressure causing an increased sense of disability in the nation that has been attacked. By doing a cyberattack before the actual physical invasion, Russia managed to create a massive digital disruption to weaken Ukraine's defensive capabilities, delaying communication among military and government entities alike (Ball, 2023).
This strategy is key in understanding how modern problems make use of modern tools to solve the upcoming conflicts as a support for conventional warfare techniques. The attack also demonstrated how easy it is to blur the lines between military and civilian targets in hybrid warfare employing cyber-attacking strategies. This can be seen as even though the primary goal of the attackers was to disrupt Ukrainian military communications, there was some spillage that resulted in collateral damage which affected thousands of civilian users and businesses across Europe.
Thus, it can be said that hybrid warfare does not discriminate and its impact aligns with the broader tactics of hybrid warfare, where cyber-attacks are used to create widespread uncertainty, massive economic disruption, and psychological pressure on the opposing team (O'Neill, 2022).
As soon as the attack took place, Viasat took prompt action to stabilize the communication network. This was essential in ensuring that the network was largely stabilized within hours of the attack and fully stabilized within several days of the attack, ensuring minimal disruption to services of various kinds (Viasat, 2022).
Viasat initiated collaboration with Mandiant, a third-party incident response and forensics leader company to properly investigate the security breach. This partnership's sole aim was to identify the vulnerabilities present and prevent any future incidents from happening by utilizing Mandiant's expertise in cyber threat analysis (Viasat, 2022).
The Russian attackers exploited a known vulnerability in Fortinet's virtual private network (VPN) known as Fortigate to gain access to the network's management system. This incident reinforces the necessity for regular patch management and the timely updating of security protocols to address known and existing vulnerabilities (Poireault, 2023).
There is a distinct need for clear and transparent communication following a cyber incident of any kind. Providing information in a timely manner can not only help in mitigating and managing the spread of misinformation but also help the organizations in strengthening their defenses against similar persistent threats (Poireault, 2023).
The Viasat cyber-attack was pivotal in revealing the vulnerabilities of existing commercial telecommunication satellite systems, and their strategic importance, especially during a state of war. Space was classified as critical infrastructure for the very first time, allowing the European Union to mandate the need for stronger cybersecurity measures (Poireault, 2023).
Commercial satellites support both the military and civilian infrastructure, with more than 80% of all military communications relying heavily on these satellites for carrying out their critical operations. This prompts an urgent need to segregate the military and civilian space infrastructure cleanly. The reason for this would be that the commercial satellites are not equipped with strong security measures that are pivotal to military operations making them highly vulnerable to cyberattacks, making them attractive targets for malicious attackers. This will have devastating consequences for not only the military but also common folk. Thus, a clear separation between the two would better protect the civilians from such attacks (Poireault, 2023).
Therefore, it can be said that the Viasat cyber-attack serves as a pivotal learning opportunity, stressing the need for some advanced cybersecurity strategies in satellite communications. By incorporating these mitigation strategies and being prepared for any kind of future challenges, will allow there to be resilience against cyber threats.
Cyber warfare is a novel way of waging war without actually fighting and it is here to stay, the Viasat KA-SAT cyber-attack has a distinct way of recognizing this growing role of cyber warfare in present-day conflicts, exposing the key vulnerabilities present in satellite communication and the devastating impact it can have on military, civilian, and critical infrastructure. The Russian state-sponsored attackers exploited the vulnerabilities present in the satellite's infrastructure, by using AcidRain malware, which disrupted all the critical military operations of the Ukrainian military force, and disabled internet access to civilians not only in Ukraine but also in certain parts of Europe. The attackers also managed to destroy the energy grid in Germany by simply shutting down the communication of wind turbines to the satellite, all just an hour before launching the full-throttle invasion. This attack is of severe importance in emphasizing how cyber operations can be seamlessly integrated into traditional warfare techniques and also stresses the urgent need to treat Space and satellites as critical infrastructure that also require new, advanced, and robust cybersecurity measures. The geopolitical implications were also strong with international condemnations and sanctions being imposed against the Russian government from the entire European Union and US. The attack strategy was also key in reinforcing the reality that cyber warfare is no longer an abstract concept but a tangible reality with devastating consequences. As satellites or space-based assets become more and more central to day-to-day life, and national and global security, governments, businesses, and security agencies alike must prioritize resilience, transparency, and advanced security measures to prevent such attacks from happening again in the future. The Viasat attack can be seen as both a warning and a cry for help emphasizing that in the modern digital age, the frontlines of war are no longer just on the battlefield but in cyberspace, where even a single wrong step can change history.