The recent cyberattack on U.S. satellite communications provider Viasat, an incident that triggered satellite service outages across central and eastern Europe, was likely the result of destructive wiper malware, according to newly published security research.
Details about the cyberattack, which rendered Viasat’s KA-SAT network inoperable since February 24 — the day of the Russian invasion of Ukraine — have so far been light. The attack, which also disconnected remote access to about 5,800 wind turbines across Germany, was originally believed to be the result of a distributed denial of service attack, but SentinelLabs researchers now believe it was the result of a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers.
AcidRain was discovered by SentinelLabs researchers on March 15 after it was uploaded to VirusTotal from a user in Italy with the name “ukrop,” which the researchers say could be shorthand for “Ukraine operation.” The wiper’s functionality is described as “generic” by the researchers, in that it performs an in-depth wipe of the filesystem and various known storage device files, before attempting to destroy the data. Once the wiping processes are complete, the device is rebooted and ultimately rendered inoperable.
“AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable,” said SentinelLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen.
While the identity of the attackers remains unknown, SentinelLabs has noted similarities between AcidRain and the VPNFilter malware, which infected thousands of home and small business routers and network devices worldwide. In 2018, the FBI attributed the VPNFilter operation to the Russian-backed “Fancy Bear” — or APT28 — hacking group, and more recently, the NSA and CISA tied it to Sandworm, which has been accused of a five-year spree of attacks, including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide and cyberattacks that took down part of the Ukrainian power grid. Both APT28 and Sandworm have been linked to Russia’s military intelligence agency, the GRU.
The researchers note that while it “cannot definitively” tie AcidRain to VPNFilter, or the larger Sandworm threat cluster, it notes “a medium-confidence assessment of non-trivial developmental similarities between their components.”
AcidRain is believed to be the seventh strain of wiper malware to target Ukraine since the onset of Russia’s invasion, the researcher said.
Viasat confirmed much of SentinelOne’s findings in a statement given to TechCrunch. Viasaid said the researchers’ findings are “consistent with the facts in our report,” which it released Wednesday, but declined to comment further citing an ongoing investigation.
Viasat said on Wednesday in its first incident response report regarding the February cyberattack that the unnamed attackers exploited a misconfigured VPN appliance to gain remote access to the “trusted management” segment of the KA-SAT network, before using their access to “execute legitimate, targeted management commands on a large number of residential modems simultaneously.”
Viasat goes on to add that “these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
SentineLabs notes in its report that it remains unclear how legitimate commands could have such a disruptive effect on the modems. “Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” Guerrero-Saade and van Amerongen concluded.
Since the February attack, which Viasat says impacted several thousand customers located in Ukraine and tens of thousands of customers across Europe, the company has shipped almost 30,000 modems to distributors to bring customers back online. The outage has not yet been fully resolved, and CISA and the FBI have warned that US satellites could be the next target.
Updated with comment from Viasat.