Russia Was Behind Cyberattack in Run-Up to Ukraine War, Investigation Finds
WASHINGTON — A cyberattack that took down satellite communications in Ukraine in the hours before the Feb. 24 invasion was the work of the Russian government, the United States and European nations declared on Tuesday, officially fixing the blame for an attack that rattled Pentagon officials and private industry because it revealed new vulnerabilities in global communications systems.
In a coordinated set of statements, the governments blamed Moscow but did not explicitly name the organization that conducted the sophisticated effort to black out Ukrainian communications. But American officials, speaking on condition of anonymity about the specifics of the findings, said that it was the Russian military intelligence agency, the G.R.U. — the same group responsible for the 2016 hack of the Democratic National Committee and a range of attacks on the U.S. and Ukraine.
“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” Josep Borrell Fontelles, the European Union’s top diplomat, said in a statement. “Cyberattacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk.”
The attack was focused on a system run by Viasat, a California company that provides high-speed satellite communication services — and was used heavily by the Ukrainian government. The attack came a few weeks after some Ukrainian government websites were hit with “wiper” software that destroys data.
The Viasat attack appeared intended to disrupt Ukraine’s command and control of its troops during the critical first hours of Russia’s invasion, American and European officials said. The hack also disconnected thousands of civilians in Ukraine and across Europe from the internet. It even thwarted the operation of thousands of wind turbines in Germany that relied on Viasat’s technology for monitoring conditions and controlling the turbine network.
Viasat immediately launched an investigation and called in Mandiant, the cybersecurity firm, to write a report. While Viasat published initial conclusions in March, the deeper studies have not been made public.
Nonetheless, those initial conclusions were striking: To black out the space-based satellites, the hackers never had to attack the satellites themselves. Instead, they focused on ground-based modems, the devices that communicated with the satellites. One senior government official said that the vulnerability of those systems was “a wake-up call,” raising concerns at the Pentagon and American intelligence agencies, which fear that Russia or China could exploit similar vulnerabilities in other critical communications systems.
U.S. and European officials have cautioned that cyberweapons are often unpredictable, and the sprawling disruptions caused by the Viasat hack showed how quickly a cyberattack can spill beyond its intended targets. In 2017, a Russian cyberattack in Ukraine, called NotPetya, quickly spread around the globe, disrupting the operations of Maersk, the Danish shipping conglomerate, and other major companies.
Like other attacks on critical infrastructure, such as the 2021 hack of Colonial Pipeline, the Viasat hack revealed a weak point in an essential service that was exploited by Russian hackers without much technical sophistication. The Colonial Pipeline attack led to the one face-to-face meeting between President Biden and President Vladimir V. Putin of Russia, in Geneva last June. During that meeting, Mr. Biden warned Mr. Putin against ransomware or other attacks on critical U.S. infrastructure. But the Viasat attack, while directed at an American company, did not touch American shores.
Officials in the United States and Ukraine had long believed that Russia was responsible for the cyberattack against Viasat, but had not formally “attributed” the incident to Russia. While U.S. officials reached their conclusions long ago, they wanted European nations to take the lead, since the attack had significant reverberations in Europe but not in the United States.
The statements released Tuesday stopped short of naming a particular Russian-sponsored hacking group for orchestrating the attack, an unusual omission as the United States has routinely revealed information about the specific intelligence services responsible for attacks, in part to demonstrate its visibility into the Russian government.
“We have and will continue to work closely with relevant law enforcement and governmental authorities as part of the ongoing investigation,” said Dan Bleier, a spokesman for Viasat. Mandiant, the cybersecurity firm hired by Viasat to investigate the matter, declined to comment on its findings.
But researchers at the cybersecurity firm SentinelOne believed that the Viasat hack was likely the work of the G.R.U., Russia’s military intelligence unit. The malware used in the attack, known as AcidRain, shared significant similarities with other malware previously used by the G.R.U., SentinelOne researchers said.
Unlike its predecessor malware, which is known as VPNFilter and was built to destroy specific computer systems, AcidRain was created as a multipurpose tool that could easily be used against a wide variety of targets, researchers said. In 2018, the Justice Department and the Federal Bureau of Investigation said that Russia’s G.R.U. was responsible for creating the VPNFilter malware.
The AcidRain malware is “a very generic solution, in the scariest sense of the word,” said Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne. “They can take this tomorrow and, if they want to do a supply chain attack against routers or modems in the U.S., AcidRain would work.”
U.S. officials have warned that Russia could carry out a cyberattack against U.S. critical infrastructure and have urged companies to strengthen their online defenses. The U.S. has also aided Ukraine in detecting and responding to Russian cyberattacks, the State Department said.
“As nations committed to upholding the rules-based international order in cyberspace, the United States and its allies and partners are taking steps to defend against Russia’s irresponsible actions,” said Secretary of State Antony J. Blinken, noting that the United States was providing satellite phones, data terminals and other connectivity equipment to Ukrainian government officials and critical infrastructure operators.
The United Kingdom said it would also continue to help Ukraine fend off cyberattacks. “We will continue to call out Russia’s malign behavior and unprovoked aggression across land, sea and cyberspace, and ensure it faces severe consequences,” said Liz Truss, the British foreign secretary.
“All the countries should unite their efforts to stop the aggressor, to make it impossible for them to keep attacking and be held responsible for their actions,” a spokesperson for Ukraine’s security and intelligence service said in a statement about the attribution of the Viasat hack to Russia. “Only sanctions, coordinated activity, awareness of public institutions, businesses and citizens can help us reach this goal and truly achieve peace in the cyberspace.”