Home

Case Study

Viasat

June 2022

Overview

On February 24th, 2022, the day of Russia’s invasion into Ukraine, a cyberattack disrupted broadband satellite internet access. This attack disabled modems that communicate with Viasat Inc's KA-SAT satellite network, which supplies internet access to tens of thousands of people in Ukraine and Europe. Researchers from SentinelLabs believe that the attack was the result of a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers. [1] [2] Viasat agreed with this assessment, and in a later statement said they believed the purpose of the attack was to interrupt service rather than to access data or systems. The United State's assessed “...that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.” [3]

To find out more about attacks on telecommunication service providersClick here

Impact

As the attack impacted telecommunications systems, it did not just have the potential to threaten government or military objects, but rather it also impacted the civilian population and civilian objects both in Ukraine and beyond when they experienced a loss of internet access and possible disruptions to systems in the energy sector. Some reported that their internet access was offline for more than two weeks. The attack on Viasat also impacted a major German energy company who lost remote monitoring access to over 5,800 wind turbines, and in France nearly 9,000 subscribers of a satellite internet service provider experienced an internet outage. In addition, around a third of 40,000 subscribers of another satellite internet service provider in Europe (Germany, France, Hungary, Greece, Italy, Poland) were affected. Overall, this attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.

Impact Overview
Contextual IndicatorsGeographical Impact
  • Satellite providers in Ukraine and across Europe were impacted
Societal Impact
  • Civilians experienced internet outages and disruptions to energy systems
Case-specific IndicatorsOperational Impact
  • The recovery time varied, though some were without internet for two weeks
Human Impact
  • Primarily, the attack impacted the Ukrainian civilian population as they were not able to access reliable information from the government during the conflict.
  • Secondarily, civilians in other EU countries experienced internet outage due to the spillover effect of the attack outside of the conflict zone.
Legal Impact

Attribution

A first technical attribution was conducted and publicly disclosed by SentinelLabs at the end of March 2022, as they found that AcidRain presented developmental similarities with a 2018 VPNFilter campaign previously attributed to the Russian government. [4]

Months later, on May 10, the EU and the Five Eyes governments consisting of the United States, United Kingdom, Australia, New Zealand, and Canada, released public statements attributing AcidRain to the Russian military intelligence (GRU) and linking it to multiple families of destructive wiper malware, including WhisperGate, targeted on the Ukrainian government and private sector networks. Further specific national statements aligning with this attribution were made by the ministries of foreign affairs of Estonia, Denmark, Ireland, the Netherlands, Norway, Austria, Germany, the Czech Republic, Italy, Finland, Romania, Poland, and France. This consistent response by many governments is an important step in the practice of political attribution of cyberattacks and greatly contributes to the development of states’ practice in this sense.

In addition, many of the statements presented references and allegations to Russia’s violations of the normative framework for responsible state behavior in cyberspace, as established through the consensus reports of the UN Group of Governmental Experts (UNGGE) and reaffirmed by the previous Open Ended Working Group (OEWG). According to these semi-collective attributions, both the targeting of critical infrastructures and the spillover effects on civilians not being directly involved in the conflict are undermining the rules-based international order. Thus, the public statements that followed the Viasat cyberattack contribute to a certain extent to improve the understanding of states’ view on how international law and the UN normative framework applies to cyberspace.

Attribution InformationInformation AvailableDetails
Public attribution made for this cyberattackThe European Union and its Member States, the UK, and the USA have politically attributed this attack to the Russian Federation. [5] [6] [7]
Nation state actor attributed to perpetrating the cyberattackRussian Federation - specifically the Russian foreign military intelligence agency (GRU)
Non-state actor attributed to perpetrating the cyberattack

Applicable Governance Documents

When an attack like this occurs, it is natural to quickly think about justice. What can be done to hold the perpetrator to account? What kind of remedy or reparation can victims fight for? Below is a table that summarizes the domestic, regional, and international laws that have either already been applied or could be applied to this case. It must be noted that the application of some of these legal tools, in particular international law, depends on who the perpetrator is. In this case, the attack has been attributed to a nation state actor, and could therefore trigger action under international law.

Legal Instruments
Law/ToolTitleScopeApplied
Domestic LawConstitutionThis Constitution, as the Fundamental Law of Ukraine, expresses the sovereign will of the people, based on the centuries-old history of Ukrainian state-building and on the right to self-determination realized by the Ukrainian nation, all the Ukrainian people, and provides for the guarantee of human rights and freedoms and of the worthy conditions of human life.
Domestic LawCriminal Code of Ukraine - Cybercrime LawThis Law defines the legal and organizational basis for the protection of vital interests of man and citizen, society and state, national interests of Ukraine in cyberspace, the main objectives, directions and principles of state policy in cybersecurity, powers of state bodies, enterprises, institutions, organizations, individuals and citizens in this area, the basic principles of coordination of their activities to ensure cybersecurity.
Domestic LawLaw of Ukraine About Electronic CommunicationsThe Law determines the legal and organizational basis of state policy in spheres of electronic communications and radio-frequency range, and also rights, obligations and responsibilities of physical persons and legal entities which participate in the related activity or use electronic communication services.
Domestic LawLaw of Ukraine On the Basic Principles of Cybersecurity in UkraineThis Law defines the legal and organizational basis for the protection of vital interests of man and citizen, society and state, national interests of Ukraine in cyberspace, the main objectives, directions and principles of state policy in cybersecurity, powers of state bodies, enterprises, institutions, organizations, individuals and citizens in this area, the basic principles of coordination of their activities to ensure cybersecurity.
Domestic LawProcedure of the Functioning of the National Telecommunication NetworkThis Procedure determines the mechanism of functioning, purpose, subjects and objects of the National Telecommunication Network.
International LawPrinciple of Due DiligenceA State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences, for other States.
The application of this principle is dependent on who is found responsible for the attack. In this case, if the group was not working for the state, then the state would have the obligation to try and stop the operation from happening.
International LawPrinciple of SovereigntyThe principle of State sovereignty applies in cyberspace. This Rule recognises that various aspects of cyberspace and State cyber operations are not beyond the reach of the principle of sovereignty. In particular, States enjoy sovereignty over any cyber infrastructure located on their territory and activities associated with that cyber infrastructure.
The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state.
International LawPrinciple of Non InterventionA State may not intervene, including by cyber means, in the internal or external affairs of another State.
The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state.
International LawProhibition of the Use of ForceThe International Court of Justice has stated that Articles 2(4) (Rules 68–70) and 51 (Rule 71–5) of the United Nations Charter, regarding the prohibition of the use of force and self-defense respectively, apply to ‘any use of force, regardless of the weapons employed’.
The application of this principle is dependent on who is found responsible for the breach, and if they are a state actor or working under the direction of a state.

In addition to the legal tools available, there are other relevant agreements and obligations that should be taken into consideration. These documents, such as UN agreements, cyber strategies and multistakeholder efforts, help provide a better sense of the context in which this attack occurred. Independent evaluation of these documents in relation to this case can also help to understand what tools exist, and what needs to be strengthened to better protect citizens in Ukraine. Please note that this is a summary.

Governance Documents - Treaties, Commitments, Policies, etc
DocumentUKRAINENote
Cyber Security StrategyNational Policy
Implementation Plan for the Cyber Security StrategyNational Policy
Signatory to and/or Ratification of the Budapest Convention✔✔Multilateral Treaty
UN Resolution 73/266 - Advancing responsible State behavior in cyberspace in the context of international securityMultilateral Commitment
Supporter of the Paris Call for Trust and Security in CyberspaceMultilateral Commitment
Freedom Online Coalition - Human Rights Impact of Cybersecurity Laws, Practices and PoliciesMultilateral Commitment
Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming From the Use of Information and Communication TechnologiesMultilateral Commitment
UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security Report 2015Multilateral Commitment
Final Substantive Report of the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (2021)Multilateral Commitment
Member or Partner to the GFCE Global Agenda for Cyber Capacity BuildingMultilateral Commitment
Do you want to contribute to the law and policy aspect of our work?Contact us
© CyberPeace Institute 2022. This site and its contents - text, graphics and images - are fully owned by the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva. Contents can be cited and reproduced provided that the CyberPeace Institute is referenced as author and copyright holder.