Summary
- Confirmed: Viasat reported that a cyberattack on February 24, 2022 caused a partial interruption of KA-SAT's consumer-oriented satellite broadband service. The company said the attack affected several thousand customers in Ukraine and tens of thousands of fixed-broadband customers elsewhere in Europe, while not affecting the KA-SAT satellite, satellite ground infrastructure, government mobility users or other Viasat networks. UK, EU and US statements attributed the operation to Russia.
- Technical boundary: Viasat said the attackers exploited a misconfigured VPN appliance, reached a trusted management segment, and used legitimate targeted management commands that overwrote key data in modem flash memory. SentinelOne later analyzed AcidRain as a MIPS modem and router wiper and reported that Viasat confirmed the wiper was consistent with the attack. Viasat's public overview is still not a complete forensic report: it does not publish indicators, logs, identities, full access chronology or a complete customer-impact ledger.
- Continuity record: The service loss was most visible because it began about an hour before Russia's full-scale invasion of Ukraine and because spillover affected non-Ukrainian users, including German wind-farm remote monitoring and control. The turbines themselves were not proved to be physically damaged by the cyberattack; the important continuity failure was loss of a communications dependency used for remote operation and visibility.
- Assessment: The core accountability lesson is that satellite resilience depends as much on terrestrial management access, customer segmentation, modem firmware state, replacement logistics, provider-customer trust and government dependency planning as on spacecraft survivability. Attackers controlled the destructive act; Viasat, customers, distributors and public agencies controlled different parts of prevention, blast-radius limitation, fallback planning, attribution and recovery evidence.
The satellite did not need to fail
A satellite outage sounds like a failure in orbit. The KA-SAT case points in the opposite direction. The spacecraft did not have to be physically damaged, jammed or moved for users to lose service. The more consequential failure path ran through terrestrial access, network management and customer terminals.
Viasat's public incident overview says the February 24, 2022 cyberattack caused a partial interruption of KA-SAT's consumer-oriented satellite broadband service. It affected several thousand customers in Ukraine and tens of thousands of other fixed-broadband customers across Europe. Viasat stated that there was no impact to the KA-SAT satellite itself, to satellite ground infrastructure, to Viasat's government mobility users, or to other Viasat networks. It also said it had no evidence that end-user data was accessed or compromised. (Viasat KA-SAT network cyber attack overview)
That distinction matters for accountability. A satellite network is an operating system of space, ground, management planes, terminals, distributors, customer premises, terrestrial backhaul and internet transit. If a management path can render a large number of terminals unable to attach to the network, the service can fail while the satellite remains healthy. If a customer depends on that service for remote monitoring, command traffic or wartime communications, the customer experiences a continuity failure even though the core orbital asset is still functioning.
The timing made the incident strategically visible. The UK government said the attack began approximately one hour before Russia launched its major invasion of Ukraine, that the primary target was believed to be the Ukrainian military, and that other customers including personal and commercial internet users, wind farms and central European internet users were affected. The National Cyber Security Centre assessed that it was almost certain Russia was responsible for the cyberattack impacting Viasat on February 24. (GOV.UK Viasat attribution statement)
The public record therefore supports a careful claim. This was not simply a consumer broadband outage, and it was not proof that satellites themselves are easy to destroy remotely. It was a management and terminal disruption in a commercial satellite broadband system that had public, military and cross-border consequences during the first hours of a war.
What Viasat says happened
Viasat's own account describes a two-stage operational picture. In the early hours of February 24, the company observed a high volume of targeted, malicious traffic. The traffic came from several SurfBeam2 and SurfBeam2+ modems and other customer-premises equipment physically located in Ukraine. Viasat said this denial-of-service activity made it difficult for some modems to remain online.
The more durable effect came next. As the denial-of-service traffic subsided, many modems disappeared from the network and could not reconnect. Viasat said investigation determined that the attacker had gained access to a trusted management segment of the KA-SAT network by exploiting a misconfigured VPN appliance. From that management segment, the attacker moved laterally and used legitimate, targeted management commands on many residential modems. The commands overwrote key data in modem flash memory, leaving the modems unable to access the network.
This is the key technical lesson in plain language: a trusted management function became a destruction channel. The commands did not have to look like science fiction. They were management actions, issued at scale, that changed the state of customer equipment. The result was operationally destructive even if the hardware was not permanently destroyed in every case.
Viasat also said the affected service was contained to a consumer-oriented partition of the KA-SAT network. That segmentation statement is material. If accurate, it explains why government mobility users and other Viasat networks were not affected. It also shows that segmentation is not a binary quality. Segmentation may protect some customer classes while still permitting large harm inside one partition. A consumer partition can include rural households, small businesses, distributors, public users and infrastructure-adjacent customers whose service is more important than the word "consumer" suggests.
The overview does not publish a complete forensic package. It does not identify the attackers, the exploited VPN product, the configuration error, the duration of unauthorized access, the exact number of terminals, the complete country-by-country effect, or the full recovery method for each modem class. That is not unusual for a live security incident. It does mean that independent accountability has to separate what is known from what is inferred.
The public attribution record is strong but not technically complete
Governments moved the event from suspected wartime coincidence to attributed malicious state activity. The UK, the European Union and the United States all publicly blamed Russia for cyber activity around Ukraine, including the Viasat operation. The European Council declaration said malicious cyber activity targeted the KA-SAT satellite network operated by Viasat, began roughly one hour before Russia's invasion, and caused indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine and other European countries. (EU Council declaration)
The US State Department attributed Russia's malicious cyber activity against Ukraine and tied the Viasat disruption to the wider invasion context. (US State Department attribution statement) The White House similarly condemned Russia's cyberattack against Ukraine and described US support for allies and partners calling out the activity. (White House statement)
Those statements are authoritative attribution records. They are not the same thing as a public technical indictment. They do not publish the complete evidence chain, access logs, intelligence sources, command infrastructure, malware samples, target lists or legal charging theory. That boundary matters because attribution can be strong enough for policy and diplomacy while still leaving operational questions unanswered for network defenders.
The useful accountability conclusion is therefore layered. Russia was publicly attributed as responsible by governments. Viasat published the operational mechanism at a high level. Independent researchers analyzed malware consistent with the modem-wiping effect. Customers and public agencies still lacked a complete public map of which dependencies failed, how service was prioritized and which users had adequate alternate paths.
AcidRain turned terminal state into service state
SentinelOne's March 2022 AcidRain analysis gave the incident a more concrete malware shape. SentinelLabs described AcidRain as an ELF MIPS malware designed to wipe modems and routers. It said the February 24 attack rendered Viasat KA-SAT modems inoperable in Ukraine and that spillover made 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control. SentinelOne also assessed developmental similarities with VPNFilter-related destructive capability, while keeping that confidence bounded. (SentinelOne AcidRain analysis)
The AcidRain account should not be promoted beyond its evidence. SentinelOne's technical analysis is not Viasat's complete incident report, and similarities with prior malware do not prove every actor or command path. The strongest use of the report is narrower: it explains how a modem-focused wiper could convert management access into mass terminal inoperability.
BleepingComputer reported that Viasat confirmed SentinelOne's analysis was consistent with the facts in its report and that the destructive executable was run on modems using a legitimate management command. (BleepingComputer AcidRain report) That public confirmation, reported through journalists, links the malware analysis to the company narrative. It still does not replace a published Viasat malware appendix, hash set or forensic timeline.
The important design point is that terminal state can become service state. Satellite broadband relies on customer-premises terminals to authenticate, receive configuration, manage beam and gateway relationships, and carry traffic. If many terminals are pushed into a state where they cannot reconnect, the provider does not merely need to restore a data center. It needs to repair, reflash, reset or replace a distributed installed base across borders.
That recovery problem is materially different from a centralized cloud outage. A cloud provider can roll back a service if the control plane and data state are intact. A satellite broadband operator whose modems have been overwritten may need field service, shipping, customer contact, distributor coordination, hardware inventory and country-specific logistics. The recovery unit is not only a server. It is a box on a roof, a farm, a government site or a rural home.
Wind farms showed hidden continuity dependence
The most cited spillover involved Enercon wind turbines in Germany. Reuters reported that a satellite outage had knocked out remote monitoring and control for thousands of Enercon wind turbines, while the turbines themselves continued operating. (Reuters Enercon report) SentinelOne repeated the figure of 5,800 wind turbines and emphasized that the turbines were not rendered inoperable; the affected function was remote monitoring and control through satellite communications.
That distinction is central. A loss of remote monitoring is not a turbine explosion. It is also not trivial. Remote visibility can support fault detection, maintenance dispatch, safety decisions, production management, warranty evidence and grid coordination. If operators must shift to manual or alternate communications, the continuity burden moves into people, field visits, slower exception handling and higher uncertainty.
This is the same pattern seen in many infrastructure incidents. The cyberattack did not need to seize physical equipment to create operational risk. It interrupted the information path through which operators supervise and manage distributed equipment. In an energy system, the ability to know what is happening can be almost as important as the ability to command it.
For accountability, wind-farm spillover raises two questions. First, did Viasat's segmentation and customer classification properly reflect infrastructure-adjacent uses of a nominally consumer or fixed-broadband service? Second, did customers using satellite broadband for operational visibility have independent fallback paths appropriate to the consequences of losing that link? The public record does not answer either question fully.
The answer will vary by customer. A home broadband user may tolerate an outage differently from a wind-farm operator, a local government office or a military-linked site. But providers and customers both need to know which class they are in before the incident. A continuity plan built after modems vanish is not the same as one tested before a wartime event.
Consumer partition did not mean low consequence
The phrase "consumer-oriented" can understate the practical importance of the affected service. Rural connectivity often serves households, farms, small businesses, municipal services, remote equipment and sometimes backup paths for operational sites. The label describes a service and network partition, not necessarily the social value of every attached endpoint.
Viasat's incident overview said government mobility users were not affected. That is an important positive boundary. It suggests that at least some high-sensitivity service classes were separated from the damaged partition. The same statement says several thousand Ukrainian customers and tens of thousands of other fixed-broadband customers across Europe were affected. In wartime, a fixed-broadband customer may still be part of public resilience if that connection is used by a local office, a responder, a media organization, a farm, a utility contractor or a small business.
This is where public-sector continuity meets private service classification. Governments and critical operators sometimes rely on commercial communications because they are available, fast to deploy or geographically practical. That dependence can be sensible. It becomes fragile when the customer buys a service as ordinary connectivity but uses it as a continuity path without matching assurance, priority, redundancy or incident notification.
The accountable design is not to ban commercial satellite use for public functions. It is to classify dependency honestly. If a public agency, energy operator or military-adjacent user relies on a fixed satellite service, the contract and architecture should identify priority restoration, backup communications, encryption, logging, incident notification, terminal replacement logistics and minimum degraded operation. Otherwise, the provider may view the customer as fixed broadband while the public experiences the outage as a public-service failure.
SATCOM is transit, not just access
Peering and transit matter here because KA-SAT was a connectivity path. For the user, satellite broadband is not just an antenna pointed at space. It is the route by which local traffic reaches a wider network. That route includes terminal, beam, gateway, provider core, management systems, terrestrial backhaul and upstream internet connectivity. Losing any one of those can make the service disappear.
The KA-SAT incident was not publicly described as a BGP route hijack, peering dispute or terrestrial transit outage. It should not be forced into that category. Its transit lesson is more practical: a communications provider's internal management plane can determine whether thousands of endpoints can participate in the network at all. Once those endpoints are inoperable, no amount of healthy upstream transit helps the customer.
CISA and FBI's SATCOM advisory, issued in March 2022 and updated in May with the US attribution, framed this as a provider and customer problem. It told SATCOM providers and customers to use secure authentication, enforce least privilege, review trust relationships, implement independent encryption, maintain patching and configuration audits, monitor logs for suspicious activity, and exercise incident response, resilience and continuity plans. (CISA AA22-076A SATCOM advisory)
The trust-relationship guidance is especially relevant. A customer often trusts a SATCOM provider to manage terminals, assign configuration and carry traffic. The provider trusts management access to alter terminal state. Distributors may sit between them. Public agencies may depend on the result. The vulnerability may therefore appear in one administrative layer while the consequence appears as unavailable transit to another organization.
NSA's VSAT communications guidance, referenced by the CISA advisory, reinforces the point that very-small-aperture terminal deployments need secure architecture, authentication, encryption, monitoring and managed exposure. (NSA VSAT communications recommendations) The KA-SAT event shows why those controls are not abstract. A remote terminal can be both a customer's internet gateway and a provider-managed device whose firmware state decides whether the customer remains connected.
The misconfigured VPN appliance deserves a governance question
Viasat identified a misconfigured VPN appliance as the access path into the trusted management segment. A misconfiguration is a technical fact, but accountability should not stop at naming the device class. The governance questions are broader.
Who owned the appliance? Who approved its exposure and access policy? Was it part of a temporary transition arrangement, a legacy environment, a managed service, a distributor path or a normal operations channel? Was multifactor authentication required? Were administrative sessions logged and reviewed? Could the appliance reach the management segment directly? Were there compensating controls around commands that affected large numbers of modems? Were destructive or mass commands rate-limited, separately approved or staged? Was there an out-of-band recovery path?
The public record does not answer those questions. Viasat's disclosure is useful precisely because it identifies the control surface without giving defenders a false sense that "VPN misconfiguration" is the entire explanation. The deeper problem is that trusted access reached a segment capable of changing customer equipment state at scale.
CISA's SATCOM advisory maps the same issue into general controls. Secure authentication, least privilege, trust-relationship review, configuration management and suspicious-login monitoring are not separate checklist items. They are layers around the same risk: a legitimate administrative path can be abused to produce illegitimate effects.
The accountable remediation would focus on mass-action safety. Management systems should distinguish ordinary maintenance from commands that can disable large fleets. They should require stronger authorization, change windows, canary groups, rollback paths, monitoring and customer segmentation for high-blast-radius actions. They should make it difficult for a compromised VPN session to become a fleet-wide terminal event.
Modem replacement made recovery physical
Viasat's overview said many affected modems required factory reset or replacement. The UK government statement went further in its public characterization, saying Viasat had said tens of thousands of terminals were damaged, made inoperable and could not be repaired. The precise repairability language depends on modem type, customer location and response method, but the important point is that recovery became physical and distributed.
Physical recovery changes both speed and equity. An urban customer with a distributor, spare inventory and technician availability may return faster than a remote user in a war zone. A public agency may receive priority over a household. A wind-farm operator may have alternate telemetry or a field crew; a small business may have neither. Hardware logistics can become the bottleneck after the network core is secured.
The public record does not publish a full replacement curve. We do not know from public sources how many terminals were reset remotely, how many were reflashed locally, how many were replaced, how customers were prioritized, or how long each country took to recover. Those are not minor details. They are the evidence that would show whether recovery burden was fairly allocated.
The distributed recovery problem is also a lesson for public agencies. If a government function depends on a satellite terminal, the continuity plan should ask how that terminal will be restored if its firmware or configuration is damaged. A backup power supply does not help a wiped modem. A spare terminal helps only if it can be provisioned through a trusted channel that survived the incident. A second provider helps only if applications, credentials and routing are ready to use it.
Disclosure was useful but incomplete
Viasat's March 2022 incident overview was more detailed than many corporate cyber statements. It identified timing, service scope, customer categories, high-level access path, management-segment abuse, terminal damage and excluded systems. It avoided implying that the satellite itself was compromised. That clarity matters because satellite incidents can easily be misunderstood.
The disclosure still had limits. It did not publish indicators of compromise, a full incident response report, a country-by-country customer count, the exact number of damaged modems, or the legal and contractual allocation of recovery costs. It did not explain whether affected users had service-level commitments, priority restoration categories or public-sector designations. It did not provide an independent audit of the segmentation claims.
That is a recurring problem in critical communications incidents. The operator can publish enough to reassure customers and governments that the core assets remain intact, but not enough for independent users to verify their own dependency risk. Customers then have to build continuity plans from partial information. Public agencies have to decide whether a private provider's assurance is enough for wartime or emergency use.
The solution is not to demand that providers publish sensitive network diagrams. It is to produce structured postincident evidence. For a satellite broadband incident, that evidence should include affected service classes, customer impact bands, management-plane control failures, terminal recovery methods, fallback communications performance, notification timing, government coordination and remedial control categories. Such reporting would help customers improve dependency planning without exposing exploitable details.
Financial materiality is not the only risk measure
Viasat's SEC filings provide important business context. Its 2022 annual report described Viasat as an end-to-end communications platform provider using high-capacity satellites, ground infrastructure and user terminals for enterprise, consumer, military and government users. It also said Viasat owned the KA-SAT satellite over EMEA and, after acquiring the remaining interest in Euro Broadband Infrastructure from Eutelsat, had 100 percent ownership and control of EBI and the KA-SAT satellite and related ground infrastructure. (Viasat fiscal 2022 Form 10-K)
That filing context is useful because it shows the integrated nature of the business. Spacecraft, ground infrastructure and user terminals are not separate public responsibilities. They are part of the provider's commercial platform. The incident exploited a terrestrial management path, but the service being sold was satellite broadband.
Public financial filings do not, by themselves, tell us the social cost of the KA-SAT event. A cyber incident may be immaterial to consolidated revenue yet material to a war-zone user, a wind-farm operator or a rural public service. Materiality for shareholders and continuity for public functions are related but different questions.
The SEC filing also shows why acquisition and integration history matters. Viasat completed the EBI acquisition in April 2021, less than a year before the attack. That does not prove that transition contributed to the incident. It does show that ownership, control, legacy systems and management responsibility were important background facts. When a provider acquires a satellite broadband platform, it inherits not only customers and infrastructure but also management-plane risk, distributor relationships, terminal fleets and public expectations.
The wider risk record confirms the pattern
The KA-SAT event also fits a wider risk record that was visible before and after the incident. Viasat's later fiscal 2023 annual report continued to describe a business model built around satellite services, government systems, ground infrastructure, terminals, managed communications and customers with high expectations for availability and security. (Viasat fiscal 2023 Form 10-K) That does not add a new forensic fact about February 24. It reinforces that Viasat was not merely a bandwidth reseller. It operated a communications platform where satellite, terrestrial, device and customer-service layers were commercially integrated.
European threat reporting moved in the same direction. ENISA's threat-landscape work for 2022 treated the war in Ukraine as a period of destructive malware, wiper activity, hacktivism, state-linked operations and spillover risk across European organizations. (ENISA Threat Landscape 2022) The KA-SAT disruption belongs in that environment because it joined technical destruction with cross-border communications consequences. It was not isolated from geopolitical context, and it was not limited to one national network.
US cyber agencies had also warned critical infrastructure about Russian state-sponsored and criminal cyber threats before the full invasion. CISA's January 2022 advisory urged organizations to prepare for disruptive activity, monitor for anomalous behavior and report incidents. (CISA Russian cyber-threat advisory) CISA's Shields Up initiative then asked organizations to lower their threshold for reporting and sharing malicious cyber activity during the heightened threat period. (CISA Shields Up) Those sources should not be read as a prediction of the exact KA-SAT method. They show why SATCOM providers and customers should have treated geopolitical context as operational risk rather than background news.
The US intelligence community's 2022 annual threat assessment, which CISA's SATCOM advisory referenced, likewise placed state cyber capabilities inside a broader strategic threat environment. (ODNI 2022 Annual Threat Assessment) For accountability, that means the standard cannot be limited to ordinary fraud or commodity ransomware. A provider serving wartime-adjacent communications had to assume that state-capable actors might seek disruption, intelligence advantage or spillover effects.
Control frameworks are useful only if they are applied with that operating reality in mind. NIST SP 800-53 is not a Viasat-specific legal finding, but its control families show the kind of domains that matter: access control, audit and accountability, configuration management, contingency planning, system and communications protection, and incident response. (NIST SP 800-53 Rev. 5) The KA-SAT attack touched all of those categories. The public cannot know from Viasat's overview how each control performed. It can know that any mature review would need to test them together rather than reduce the incident to a single VPN misconfiguration.
Contemporaneous reporting also kept the policy and sector record visible. Reuters covered the EU, UK and US attribution announcements on May 10, 2022, which helped establish that the Viasat event had become an international incident rather than only a provider-customer dispute. (Reuters attribution report) SpaceNews covered Viasat's explanation for a space and satellite audience, highlighting that the event mattered to the satellite sector's understanding of cyber exposure. (SpaceNews KA-SAT report)
Finally, the incident is useful by contrast with classic routing-security problems. Routing-security efforts such as MANRS focus on norms that reduce route leaks, spoofing and hijacks in the internet routing system. (MANRS routing security program) KA-SAT was not publicly described as that kind of routing event. The comparison helps avoid a category error: here, customers lost transit because terminals and management trust failed before traffic could use the wider internet path. That is still a peering-and-transit accountability issue, but its control surface was terminal management rather than route origination.
Customers had their own control duties
Provider accountability is central, but it is not the whole record. Customers that use satellite broadband for critical functions control their own dependency architecture. They decide whether the satellite link is primary, backup or convenience. They decide whether remote monitoring can degrade safely. They decide whether there is an alternate provider, terrestrial link, radio path, cellular backup or manual procedure. They decide whether traffic is independently encrypted and monitored beyond the provider's network.
CISA's advisory explicitly addresses both providers and customers for this reason. It tells customers to review trust relationships, monitor systems behind SATCOM terminals, integrate SATCOM traffic into security monitoring where possible, and maintain continuity plans for disrupted technology systems. That is a customer-side accountability frame.
For public-sector users, the duty is stronger. If a public authority or military-adjacent function depends on commercial satellite broadband, procurement should not stop at bandwidth and coverage. It should ask how incidents are notified, how terminals are replaced, whether alternate communications are tested, which users receive priority, how evidence is preserved and how service dependency is classified during conflict. A contract that treats satellite service as ordinary internet access may be inadequate for a wartime continuity role.
For small businesses and local operators, the answer cannot simply be expensive redundancy. Many do not have the budget for dual satellite providers or dedicated managed security. The accountable market design should therefore include clear service classifications, affordable backup options, published incident-support channels and plain-language advice about what a fixed satellite link can and cannot guarantee.
Wartime dependency changed the standard of care
The Viasat incident occurred at the opening of a major invasion. That context changes how the evidence should be read. A commercial provider cannot control whether a state actor chooses to attack. It can control how exposed its management plane is, how segmented its service classes are, how quickly it detects misuse, how safely mass commands are governed, how it communicates with customers and how it supports terminal recovery.
Public agencies also had control duties. Governments had to attribute, warn other providers, support Ukraine and allies, and turn the incident into actionable guidance for SATCOM operators and customers. The CISA advisory is part of that response. So are UK, EU and US attribution statements. Attribution without mitigation would be diplomacy only; mitigation without attribution would leave the geopolitical threat underdescribed.
The incident also shows the limit of "resilience" as a marketing word. Satellite connectivity is often promoted as resilient because it can bypass damaged terrestrial infrastructure. That is true in many disaster scenarios. It does not mean the satellite service itself is immune to terrestrial cyber failure. A satellite link can be geographically resilient and management-plane fragile at the same time.
The right standard of care is therefore dependency-specific. A satellite provider serving ordinary entertainment traffic has one continuity profile. A provider serving war-zone public authorities, critical infrastructure visibility or rural emergency services has another. The same physical network may carry both, which is why segmentation, customer classification and priority restoration are governance decisions, not only engineering decisions.
What a better accountability record would include
A complete public accountability record for the KA-SAT disruption would not need to reveal exploitable secrets. It would include categories that users and policymakers can act on.
First, it would distinguish customer classes affected by the consumer-oriented partition: households, small businesses, public bodies, infrastructure operators, distributors and Ukrainian users. Aggregate bands would be enough.
Second, it would describe recovery paths by modem category: remotely restored, factory reset, reflashed, replaced, unreachable, and still unknown after a defined period. This would convert "tens of thousands" into an operational recovery curve.
Third, it would identify management-plane control changes without publishing sensitive architecture: VPN exposure, authentication, least privilege, command authorization, fleet-action controls, logging, monitoring and segmentation.
Fourth, it would explain customer communications: when users, distributors, public agencies and infrastructure customers were notified; what alternatives were recommended; and how priority was assigned.
Fifth, it would state what remained unknown. A high-quality incident record does not pretend complete certainty. It marks where attribution, malware, access chronology and customer impact are still bounded.
Finally, it would connect provider and customer duties. Customers using satellite links for critical remote monitoring or public functions need fallback evidence just as providers need security evidence. The accountability record should not allow either side to say that the other entirely owned continuity.
The lasting lesson
The KA-SAT disruption is often described as a satellite hack. That shorthand is understandable but incomplete. The public evidence points to a cyberattack against a satellite broadband network's terrestrial management and terminal ecosystem. The satellite did not need to fail. The modem fleet did.
That difference makes the case more useful. It shows that space-based connectivity still depends on ordinary cyber controls: VPN configuration, identity, management segmentation, command authorization, logging, firmware integrity and incident response. It also shows that recovery can become stubbornly physical when customer equipment is damaged across borders.
For ViaSat, the accountable record concerns how a trusted management segment was protected, how a consumer-oriented partition was segmented, how modems were recovered, how customers were informed and how public dependencies were treated. For customers, the record concerns whether satellite connectivity was treated as critical transit and whether fallback paths were tested. For governments, the record concerns attribution, sector warnings, support to Ukraine and practical SATCOM guidance.
The strongest conclusion is not that satellite broadband is unsafe. It is that satellite resilience is only as strong as the management systems, terminal fleets and dependency contracts beneath it. In wartime, that stack becomes part of public continuity.

