By Dain Oh, The Readable
Aug. 11, 2023 10:00PM GMT-7
Las Vegas, NV ― Black Hat ― Forging a partnership between commercial and government entities proves to be pivotal in establishing an effective incident response process, as emphasized by the key players who collaborated to mitigate the unprecedented satellite sabotage that targeted Ukraine in 2022.
During the 26th Black Hat USA event on Thursday, Mark Colaluca, Vice President and Chief Information Security Officer at Viasat, shed light on a common oversight. “For many organizations, incident response is the most neglected muscle group,” Colaluca stated. He also offered insights into the cyberattacks against KA-SAT and expanded on the intricate dynamics at play, explaining, “Most of what we experienced was a complicated ecosystem which involved distributors, salespeople, and satellite people on servers, with many of these people being in different countries and facing a language barrier, making for a chaotic scene in the beginning.”
In February 2022, the KA-SAT network, launched in December 2010 by Viasat for broadband and satellite televisions, fell victim to a significant cyberattack. The attack had severe repercussions, causing power outages for thousands of Ukrainians and tens of thousands more in various parts of Europe. This sustained assault endured for weeks following the initial malware infection, prompting an operational team at Viasat to engage in real-time response efforts. The team swiftly conducted forensics on affected terminals, which are crucial junctures where satellite telecommunications signals reach end-users. Within a mere day and a half, the team determined that “the terminal flash memory had been overwritten with a distinctive pattern in the attack.”
“When we began our incident response process, the good part was that we could exercise the muscle memory developed by the whole group, and everyone knew exactly how to engage and what they would be looking for,” recalled Colaluca.
The executive highlighted another crucial lesson learned by Viasat which centered around the significance of information sharing, particularly with governmental agencies and the intelligence community. As part of Viasat’s incident response protocol, they had already integrated information sharing into their strategy. Well before the KA-SAT incident, Viasat had forged a solid partnership with the National Security Agency’s Cybersecurity Collaboration Center (CCC). This collaboration played a pivotal role in allowing the Viasat team to “discuss new information and analysis as it came in,” accelerating interagency communication and ultimately helping to mitigate the extent of the damage caused.
The NSA also benefitted from the valuable information shared by the satellite company. Armed with the insights and data supplied by Viasat, the intelligence agency rapidly initiated their investigative process, drawing in their technical experts from the very outset. Through independent analysis, the NSA’s investigators skillfully established correlations to threat actors with confidence. This process eventually led to a more profound understanding of the cyberattacks.
“We talk a lot with our partners about there not being a ‘cyber 911’,” shared Kristina Walter, who was the former director of the NSA’s CCC during the KA-SAT incident and currently holds the position of chief of Defense Industrial Base (DIB) Cybersecurity at the NSA. She elaborated on the valuable takeaways from the previous year’s experience. “If something happens, we would like to tell you to call the partner you are comfortable with. You must have an established relationship. You can’t search for trust in a crisis,” stressed Walter.
The quotes in this article were condensed and edited for clarity.
Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.