Defending KA-SAT: The detailed story of the response, how it was analyzed, and what was learned

Presented at DEF CON 31 (2023), Aug. 11, 2023, 11 a.m. (45 minutes).

In February 2022, the Viasat owned KA-SAT network experienced a significant cyberattack that resulted in a partial outage of services for thousands of users in Ukraine and tens of thousands of users in other parts of Europe. This presentation will provide detailed background on the attack, which involved the deployment of malware against terminals on the network, as well as several distinct network-based attacks that appeared focused on further denying connectivity to KA-SAT users. These network-based attacks needed to be characterized and responded to by Viasat’s operational teams in real-time, and the attacks continued with intensity for many weeks after the original malware incident. Viasat will share the story of how it responded and performed a rapid forensic on several impacted terminals to determine within 36 hours that the terminal flash memory had been overwritten with a distinctive pattern in the attack. This presentation will explain details around the forensic analysis as well as the process of reverse engineering the malicious toolkit to verify it would produce the observed flash memory effects. Viasat will also share technical details of over-the-air network attacks that were used to attack the KA-SAT network.

Presenters:

  • Mark Colaluca - Vice President and Chief Information Security Officer (CISO) at Viasat
    Mark Colaluca is Vice President & Chief Information Security Officer for Viasat, a global satellite communications service provider. Mark is responsible for Viasat’s corporate information security program, as well as infrastructure and security engineering for Viasat’s enterprise networks serving customers across government, commercial and residential markets. During Mark’s tenure at Viasat, he has held various engineering, architecture, and leadership roles within the organization, including the design, development, and delivery of the ground system infrastructure for Viasat’s first and second generation satellite networks. Mark has also led Viasat’s engagement with the private sector and government security communities, which includes facilitating active information sharing with these partners. Prior to joining Viasat, Mark provided security and network architecture consulting to several Fortune 50 firms as a member of KPMG, and held network and security engineering roles with Texas Instruments and Raytheon. Mark is a graduate of the University of Texas at Austin with a bachelor’s degree in Electrical & Computer Engineering, and is the joint U.S. Patent holder for an advanced method of providing layer-2 network services through a non-routed ground segment network.
  • Nick Saunders - Chief Cybersecurity and Data Officer at Viasat
    Nick Saunders serves as the Chief Cybersecurity and Data Officer for Government Systems at Viasat. He is responsible for ensuring the security for government users of Viasat’s global networks. Nick leads teams focused on the development of novel cybersecurity analytics techniques, maintaining compliance across Viasat’s global networks, performing active cybersecurity defense, red team activities, forensics, cyber threat intelligence, and other cybersecurity-related functions. Nick has 15 years of experience leading and advancing technology focused on cybersecurity, information assurance, embedded systems, bootloaders, operating systems, space systems architecture, critical infrastructure, and multiple communications-focused disciplines. He has been published in IEEE and presented at multiple technical conferences (IEEE, SANS). Nick has presented cybersecurity briefings for USMC, USAF, Space Command, and multiple other USG departments. Nick also works to champion and improve data practices across Government systems by advancing AI/ML initiatives and product capabilities. Nick is a graduate of Virginia Tech and holds degree in Computer Engineering.

Links:

Similar Presentations: