Photo: NASA

Viasat continues to be in the news when it comes to cybersecurity. Last month, the company confirmed a report of “unauthorized access” after Bloomberg reported the company was one of the victims in the Salt Typhoon hack against telecommunications providers.

Space Security Sentinel (S3) recently interviewed Phil Mar, VP/CTO of Engineering for Viasat Government, about the company’s cybersecurity posture. This interview was conducted before the reports of Viasat being impacted by Salt Typhoon, so there are no extra details related to this. However, it offers insight into how the operator is adapting its strategy to emerging cyber threats, three years after the attack on the KA-SAT ground network.

[This feature was published exclusively for Space Security Sentinel, a new cyber newsletter from the teams at Via Satellite and CyberSat. Learn more and subscribe here]

After the Salt Typhoon report, Viasat said in a statement the operator and a third-party cybersecurity partner investigated a report of unauthorized access through a compromised device. “No evidence was found to suggest any impact to customers,” Viasat said.

The Salt Typhoon hack last year involved Chinese state-sponsored hackers infiltrating U.S. telecommunications companies, including internet service providers. Viasat said it is engaged with government partners in its investigation and not able to provide more details at this point. “Viasat believes that the incident has been remediated and has not detected any recent activity related to this event,” the company said.

Mar told S3 that threats are continuing to evolve and change, both in terms of the sophistication of attacks and the overall strategies and methods being used. Adversary capabilities are becoming more advanced, but more traditional cyberattack methods are still being used as well, he said.

Mar described Viasat’s approach as pursuing security by design, meaning it continuously evaluates the network technologies and solutions it uses and deploys through the lens of how they fit together to achieve a secure systems design.

“As we continue to face attackers and see new attack methods or strategies, we’re not only able to continue exercising or practicing our cybersecurity response capabilities but we’re also able to use the insights from our experience. The ability of our security team to engage as active cybersecurity practitioners across our networks is also what allows us to continue to enhance our secure by design foundation, effectively improving network hygiene to protect against the latest attacks,” Mar says.

AI and New Cyber Threats

While AI is playing an increasing role across the technology landscape, Mar says there is no evidence that attacks to Viasat’s network have used generative AI at this point. He says AI is likely used by adversaries to identify security issues and vulnerabilities.

“An attacker could use AI tools to conduct an analysis of the target network to identify or uncover potential vulnerabilities and potentially understand how effective or ineffective different attack methods are likely to perform against that network,” he says.

From a cybersecurity standpoint, Mar believes AI will impact both attackers and defenders. He says attackers will still have an asymmetric advantage in that they often only need to find one way in, while defenders will have to defend all methods against attack.

“AI does not change this but instead speeds up the pace of both sides with this same challenging asymmetry. For an attacker, AI could be used to identify vulnerabilities and service as a faster roadmap for outlining an attack strategy,” he says.

One notable challenge Mar sees is the rapid increase of AI features into software tools. “While these tools can certainly be helpful, users can unknowingly exercise AI features that cause sensitive data to be stored in less than secure cloud infrastructure. Some of the sensitive data could even include discussion of a network architecture’s potential vulnerabilities. Sophisticated adversaries can intrude such cloud infrastructure to learn about those vulnerabilities,” he says.

Viasat continues to see different attack methods, but Mar says that recognizing the trends in adversary strategies is just as important.

“We’ve seen cyber attackers going through certain types of tactics and our cyber operations team is now able to recognize many attacks as part of a pattern in a bigger, sometimes longer-term strategy we’ve seen before, then we’re able to use that insight to reinforce our network defenses,” he says. “When an adversary shows their hand, we have seen their strategy and multiple tactics behind them. As we’ve seen this occur with more frequency, we have increased our ability to recognize those strategies and, in turn, our ability to effectively counter and mitigate those tactics.”

Mar says as a result of this, those adversaries can no longer use those longer-term strategies because Viasat has taken control by implementing the procedures and network mitigations to counter those things. “Also, it’s likely because of our ability to counter and mitigate the effectiveness of these cyber-attacks that we’re also seeing adversaries revert to more ad-hoc, brute force approaches to disruption, such as engaging in RF interference or jamming attacks. These types of attacks require different mitigations, and our team has effectively mitigated these efforts,” he adds.

In terms of a concern going forward, Mar highlights false attribution — where adversaries frame other adversaries for harm.

“We’ve already heard speculation that this has occurred in certain cases, but with all of the interest and news coverage around cyber attacks, it can be very difficult to confidently attribute with ground truth,” he says. “I suspect we will likely see increasingly more ambiguity around attribution in the future.”

Three Years Post KA-SAT Attack

Of course, the recent news regarding Viasat and Salt Typhoon is not the first time the company has made news in cybersecurity. In 2022, Viasat was famously the subject of a targeted denial of service attack on the KA-SAT satellite network in Europe just ahead of Russia’s invasion of Ukraine. Mar says that the main lessons Viasat identified from KA-SAT event weren’t all technical. One of the first lessons learned was that organizations need to practice incident response and the need to go beyond technical simulations and table-top exercises.

“Incident response tends to be a neglected area of preparedness, often only including a smaller technical team and not incorporating the other departments/parts of the organization that would truly be involved in a holistic response situation. Ideally, simulations should be designed to engage all relevant stakeholders, allowing for a shared understanding of roles, responsibilities, and communication protocols for every part of an organization’s response effort,” he adds.

The attack also showed the importance of information-sharing with U.S. Department of Defense, intelligence and global government agencies and industry groups like the Commercial Integration Cell, National Defense ISAC and the Space ISAC, as well as the importance of actively maintaining network security hygiene. Having the foundational security hygiene in place is a way of forcing adversaries to seek out and be able to execute something more sophisticated, he admits.

After the KA-SAT attack, the most significant change Viasat made was taking full network operations control from the third-party partner that was operating the network at the time under a transition agreement. This shift to take control of network operations has allowed Viasat to directly implement several updated security protocols/applications that are now in place.

Viasat also strengthened segmentation on the network. The network already had segmentation among users, but it has identified ways to reinforce the segmented structure to enhance protection, especially for government services.

“Another significant thing we did was replace the entire network ground segment – as that was a key area of vulnerability that allowed the adversary to gain access to network. We’ve also taken additional measures to implement stronger controls/restrictions to safeguard administrative access to the modem management areas of the network,” adds Mar.