Case Study
Viasat
June 2022
Overview
On February 24th, 2022, the day of Russia’s invasion into Ukraine, a cyberattack disrupted broadband satellite internet access. This attack disabled modems that communicate with Viasat Inc's KA-SAT satellite network, which supplies internet access to tens of thousands of people in Ukraine and Europe. Researchers from SentinelLabs believe that the attack was the result of a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers. [1] [2] Viasat agreed with this assessment, and in a later statement said they believed the purpose of the attack was to interrupt service rather than to access data or systems. The United State's assessed “...that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.” [3]
Impact
As the attack impacted telecommunications systems, it did not just have the potential to threaten government or military objects, but rather it also impacted the civilian population and civilian objects both in Ukraine and beyond when they experienced a loss of internet access and possible disruptions to systems in the energy sector. Some reported that their internet access was offline for more than two weeks. The attack on Viasat also impacted a major German energy company who lost remote monitoring access to over 5,800 wind turbines, and in France nearly 9,000 subscribers of a satellite internet service provider experienced an internet outage. In addition, around a third of 40,000 subscribers of another satellite internet service provider in Europe (Germany, France, Hungary, Greece, Italy, Poland) were affected. Overall, this attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
| Impact Overview | |||
|---|---|---|---|
| Contextual Indicators | Geographical Impact | ✔ |
|
| Societal Impact | ✔ |
| |
| Case-specific Indicators | Operational Impact | ✔ |
|
| Human Impact | ✔ |
| |
| Legal Impact | ✘ | ||
Attribution
A first technical attribution was conducted and publicly disclosed by SentinelLabs at the end of March 2022, as they found that AcidRain presented developmental similarities with a 2018 VPNFilter campaign previously attributed to the Russian government. [4]
Months later, on May 10, the EU and the Five Eyes governments consisting of the United States, United Kingdom, Australia, New Zealand, and Canada, released public statements attributing AcidRain to the Russian military intelligence (GRU) and linking it to multiple families of destructive wiper malware, including WhisperGate, targeted on the Ukrainian government and private sector networks. Further specific national statements aligning with this attribution were made by the ministries of foreign affairs of Estonia, Denmark, Ireland, the Netherlands, Norway, Austria, Germany, Czechia, Italy, Finland, Romania, Poland, and France. This consistent response by many governments is an important step in the practice of political attribution of cyberattacks and greatly contributes to the development of states’ practice in this sense.
In addition, many of the statements presented references and allegations to Russia’s violations of the normative framework for responsible state behavior in cyberspace, as established through the consensus reports of the UN Group of Governmental Experts (UNGGE) and reaffirmed by the previous Open Ended Working Group (OEWG). According to these semi-collective attributions, both the targeting of critical infrastructures and the spillover effects on civilians not being directly involved in the conflict are undermining the rules-based international order. Thus, the public statements that followed the Viasat cyberattack contribute to a certain extent to improve the understanding of states’ view on how international law and the UN normative framework applies to cyberspace.
| Attribution Information | Information Available | Details |
|---|---|---|
| Public attribution made for this cyberattack | ✔ | The European Union and its Member States, the UK, and the USA have politically attributed this attack to the Russian Federation. [5] [6] [7] |
| Nation state actor attributed to perpetrating the cyberattack | ✔ | Russian Federation - specifically the Russian foreign military intelligence agency (GRU) |
| Non-state actor attributed to perpetrating the cyberattack | ✘ |
Applicable Governance Documents
When an attack like this occurs, it is natural to quickly think about justice. What can be done to hold the perpetrator to account? What kind of remedy or reparation can victims fight for? Below is a table that summarizes the domestic, regional, and international laws that have either already been applied or could be applied to this case. It must be noted that the application of some of these legal tools, in particular international law, depends on who the perpetrator is. In this case, the attack has been attributed to a nation state actor, and could therefore trigger action under international law.
| Legal Instruments | |||
|---|---|---|---|
| Law/Tool | Title | Scope | Applied |
| Domestic Law | Constitution | This Constitution, as the Fundamental Law of Ukraine, expresses the sovereign will of the people, based on the centuries-old history of Ukrainian state-building and on the right to self-determination realized by the Ukrainian nation, all the Ukrainian people, and provides for the guarantee of human rights and freedoms and of the worthy conditions of human life. | ✘ |
| Domestic Law | Criminal Code of Ukraine - Cybercrime Law | This Law defines the legal and organizational basis for the protection of vital interests of man and citizen, society and state, national interests of Ukraine in cyberspace, the main objectives, directions and principles of state policy in cybersecurity, powers of state bodies, enterprises, institutions, organizations, individuals and citizens in this area, the basic principles of coordination of their activities to ensure cybersecurity. | ✘ |
| Domestic Law | Law of Ukraine About Electronic Communications | The Law determines the legal and organizational basis of state policy in spheres of electronic communications and radio-frequency range, and also rights, obligations and responsibilities of physical persons and legal entities which participate in the related activity or use electronic communication services. | ✘ |
| Domestic Law | Law of Ukraine On the Basic Principles of Cybersecurity in Ukraine | This Law defines the legal and organizational basis for the protection of vital interests of man and citizen, society and state, national interests of Ukraine in cyberspace, the main objectives, directions and principles of state policy in cybersecurity, powers of state bodies, enterprises, institutions, organizations, individuals and citizens in this area, the basic principles of coordination of their activities to ensure cybersecurity. | ✘ |
| Domestic Law | Procedure of the Functioning of the National Telecommunication Network | This Procedure determines the mechanism of functioning, purpose, subjects and objects of the National Telecommunication Network. | ✘ |
| International Law | Principle of Due Diligence | A State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences, for other States. | ✘ The application of this principle is dependent on who is found responsible for the attack. In this case, if the group was not working for the state, then the state would have the obligation to try and stop the operation from happening. |
| International Law | Principle of Sovereignty | The principle of State sovereignty applies in cyberspace. This Rule recognises that various aspects of cyberspace and State cyber operations are not beyond the reach of the principle of sovereignty. In particular, States enjoy sovereignty over any cyber infrastructure located on their territory and activities associated with that cyber infrastructure. | ✘ The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state. |
| International Law | Principle of Non Intervention | A State may not intervene, including by cyber means, in the internal or external affairs of another State. | ✘ The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state. |
| International Law | Prohibition of the Use of Force | The International Court of Justice has stated that Articles 2(4) (Rules 68–70) and 51 (Rule 71–5) of the United Nations Charter, regarding the prohibition of the use of force and self-defense respectively, apply to ‘any use of force, regardless of the weapons employed’. | ✘ The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state. |
In addition to the legal tools available, there are other relevant agreements and obligations that should be taken into consideration. These documents, such as UN agreements, cyber strategies and multistakeholder efforts, help provide a better sense of the context in which this attack occurred. Independent evaluation of these documents in relation to this case can also help to understand what tools exist, and what needs to be strengthened to better protect citizens in Ukraine. Please note that this is a summary.
| Governance Documents - Treaties, Commitments, Policies, etc | ||
|---|---|---|
| Document | UKRAINE | Note |
| Cyber Security Strategy | ✔ | National Policy |
| Implementation Plan for the Cyber Security Strategy | ✔ | National Policy |
| Signatory to and/or Ratification of the Budapest Convention | ✔✔ | Multilateral Treaty |
| UN Resolution 73/266 - Advancing responsible State behavior in cyberspace in the context of international security | ✔ | Multilateral Commitment |
| Supporter of the Paris Call for Trust and Security in Cyberspace | ✘ | Multilateral Commitment |
| Freedom Online Coalition - Human Rights Impact of Cybersecurity Laws, Practices and Policies | ✘ | Multilateral Commitment |
| Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming From the Use of Information and Communication Technologies | ✔ | Multilateral Commitment |
| UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security Report 2015 | ✔ | Multilateral Commitment |
| Final Substantive Report of the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (2021) | ✔ | Multilateral Commitment |
| Member or Partner to the GFCE Global Agenda for Cyber Capacity Building | ✔ | Multilateral Commitment |