Las Vegas, NV ― Black Hat ― Forging a partnership between commercial and government entities proves to be pivotal in establishing an effective incident response process, as emphasized by the key players who collaborated to mitigate the unprecedented satellite sabotage that targeted Ukraine in 2022.
During the 26th Black Hat USA event on Thursday, Mark Colaluca, Vice President and Chief Information Security Officer at Viasat, shed light on a common oversight. “For many organizations, incident response is the most neglected muscle group,” Colaluca stated. He also offered insights into the cyberattacks against KA-SAT and expanded on the intricate dynamics at play, explaining, “Most of what we experienced was a complicated ecosystem which involved distributors, salespeople, and satellite people on servers, with many of these people being in different countries and facing a language barrier, making for a chaotic scene in the beginning.”
In February 2022, the KA-SAT network, launched in December 2010 by Viasat for broadband and satellite televisions, fell victim to a significant cyberattack. The attack had severe repercussions, causing power outages for thousands of Ukrainians and tens of thousands more in various parts of Europe. This sustained assault endured for weeks following the initial malware infection, prompting an operational team at Viasat to engage in real-time response efforts. The team swiftly conducted forensics on affected terminals, which are crucial junctures where satellite telecommunications signals reach end-users. Within a mere day and a half, the team determined that “the terminal flash memory had been overwritten with a distinctive pattern in the attack.”
“When we began our incident response process, the good part was that we could exercise the muscle memory developed by the whole group, and everyone knew exactly how to engage and what they would be looking for,” recalled Colaluca.
The executive highlighted another crucial lesson learned by Viasat which centered around the significance of information sharing, particularly with governmental agencies and the intelligence community. As part of Viasat’s incident response protocol, they had already integrated information sharing into their strategy. Well before the KA-SAT incident, Viasat had forged a solid partnership with the National Security Agency’s Cybersecurity Collaboration Center (CCC). This collaboration played a pivotal role in allowing the Viasat team to “discuss new information and analysis as it came in,” accelerating interagency communication and ultimately helping to mitigate the extent of the damage caused.
The NSA also benefitted from the valuable information shared by the satellite company. Armed with the insights and data supplied by Viasat, the intelligence agency rapidly initiated their investigative process, drawing in their technical experts from the very outset. Through independent analysis, the NSA’s investigators skillfully established correlations to threat actors with confidence. This process eventually led to a more profound understanding of the cyberattacks.
“We talk a lot with our partners about there not being a ‘cyber 911’,” shared Kristina Walter, who was the former director of the NSA’s CCC during the KA-SAT incident and currently holds the position of chief of Defense Industrial Base (DIB) Cybersecurity at the NSA. She elaborated on the valuable takeaways from the previous year’s experience. “If something happens, we would like to tell you to call the partner you are comfortable with. You must have an established relationship. You can’t search for trust in a crisis,” stressed Walter.
The quotes in this article were condensed and edited for clarity.
