Together with a representative from the NSA, California-based satellite broadband provider Viasat took to the stage at Black Hat to announce new details about a cyberattack that targeted its systems in February of last year. The company confirmed what many suspected, that it was indeed a coordinated, multi-faceted assault carried out by state-sponsored Russian actors.
The attack was clearly intended to degrade the ability of Ukraine’s government and military to communicate on the eve of the Russian invasion. Malicious actors deployed wiper malware and DDoS tactics in two distinct waves, the company said. An estimated 40,000 to 45,000 internet modems were disabled by the first attack, causing “huge losses in communications,” according to one high-ranking Ukrainian official.
Instead of dismissing this as an act of war between belligerents on the far side of the globe, we must recognize that this was an attack on a U.S.-based critical infrastructure provider and consider the implications for our national security. There are lessons to be learned concerning existing vulnerabilities, the need to trade in legacy approaches to cyber defense, and the importance of mounting a coordinated response. We must master these lessons quickly to prevent an even more devastating event.
Legacy security tools paired with a legacy security approach
The primary attack vector in the Viasat hack will be familiar to anyone who’s studied the Colonial Pipeline or SolarWinds incidents. Threat actors targeted a VPN belonging to a third party in Turin, Italy, and were eventually able to use it to gain access to Viasat's network. From there, the attackers conducted reconnaissance on servers connected to the network before spreading laterally to another server that allowed them to push the malware as an update to tens of thousands of servers, knocking them offline.
This familiar pattern – discovering a third-party VPN via the open internet, compromising it to gain widespread network access, spreading laterally to find high-value targets, and then maximizing the damage inflicted – forms the essential argument in favor of zero trust architecture.
Rather than exposing assets to the open internet where they can be found, probed for weaknesses, and ultimately compromised, a zero-trust approach masks assets behind a security cloud where they can’t be discovered by potential adversaries. Rather than allowing attackers to roam networks in search of the crown jewels, a zero trust approach connects users to applications and nothing more.
Zero trust frameworks also inhibit potentially devastating supply-chain attacks. Zscaler’s 2023 VPN Risk Report confirms that 90% of enterprise security leaders are rightly worried about VPNs enabling third-party compromise. These fears were realized in the Viasat attack.
Unfortunately, the study also found that 97% of respondents know that VPNs are prone to attack, and yet the majority still use them. This is simply unacceptable in the realm of critical infrastructure. There's too much at stake to roll the dice so brazenly. This technology should be retired as quickly as possible.
Pointing both public and private in the right direction
Even the method by which these additional details about the Viasat hack came to light – jointly presented onstage by a business leader and a representative of a famously shadowy intelligence agency at one of the world’s most popular security conferences – is progress. It helps to build trust and undercuts frequent complaints about overclassification, one-way communication, or a lack of actionable intelligence.
The Biden Administration has made defending critical infrastructure the first core pillar of its National Cybersecurity Strategy, reflecting the importance of the issue at the highest levels of the U.S. federal government. Rightly, two strategic objectives supporting this pillar are increased cooperation between the public and private sectors as well as an overhaul of federal incident response plans and procedures.
"Defending critical infrastructure against adversarial activity and other threats requires a model of cyber defense that emulates the distributed structure of the Internet," the document reads, continuing that it intends to create a "network of networks" for supporting critical infrastructure defense.
Government agencies have already begun assembling elements of these networks with entities like the JCDC and Cyber Command’s Under Advisement program. That CISA, the agency ultimately responsible for ensuring the cybersecurity of our critical infrastructure, works with infrastructure owners and operators to cover the 16 sectors of critical infrastructure is another encouraging sign of collaboration. In the Viasat hack, it was the NSA that coordinated responses to other federal agencies seeking information and provided guidance to other satellite communications operators.
But to prevent these types of attacks from continuing to happen, these efforts must be backed by intensive education on the shortcomings of legacy solutions like VPNs and the superiority of the zero trust approach. The Biden Administration’s executive order on zero trust is a good start, but zero trust messaging must be honed for the private sector.
I’m happy to have the opportunity to discuss issues of critical infrastructure cybersecurity with Federal CISO & Deputy National Cyber Director Chris DeRusha, alongside Zscaler’s Kavitha Mariappan, at an upcoming panel that will be live-streamed on LinkedIn. If you, like me, believe this to be an issue of the utmost importance, I hope you can tune in.
Sign up to join the Executive Connect Critical Infrastructure | Industry Brief via LinkedIn Live.