Viasat confirms report of wiper malware used in Ukraine cyberattack

Satellite communications company Viasat said its own research is consistent with a new report from a cybersecurity firm that said a February attack on their infrastructure in Ukraine involved the use of a new malware named “AcidRain.”

SentinelOne released a report on Thursday analyzing the February 24th cyberattack that left Viasat KA-SAT modems inoperable in Ukraine. The attack had other downstream effects, causing the malfunction of 5,800 Enercon wind turbines in Germany and disruptions to thousands of organizations across Europe.

The cybersecurity company attributed the attack to AcidRain, a wiper designed for modems and routers. 

A wiper can overwrite key data in a modem’s flash memory, rendering it inoperable and in need of reflashing or replacing, SentinelOne explained.

In a statement to The Record, Viasat said the facts in SentinelOne’s report are accurate and were consistent with the information in their own report on the cyberattack. 

“The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described,” the company said. 

"Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack," adding that “there is no evidence that any end-user data was accessed or compromised." 

They have not released the forensic details of the attack because the investigation is ongoing and they are working with several law enforcement agencies around the world. The company has hired Mandiant to look into the attack and committed to releasing additional forensic details once the investigation is complete. 

We've had 6 wipers in the wake of the Ukraine invasion but the biggest elephant in the room has been the infamous 'satellite modem hack'. Despite statements saying there was no malware involved, we believe it was the work of a 7th wiper– AcidRain

— J. A. Guerrero-Saade (@juanandres_gs) March 31, 2022

Viasat released a lengthy statement about the attack on Wednesday, explaining that it was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a subsidiary called Skylogic. 

There was a “ground-based network intrusion” by an attacker exploiting a misconfiguration in a VPN appliance that allowed them to gain remote access to the trusted management segment of the KA-SAT network. 

“The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously,” the company said.  

The destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, Viasat said, adding that there was “no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.”

A ‘more plausible hypothesis’

SentinelOne said evidence from Viasat’s statement and an analysis of the attack indicated AcidRain may have been involved in the incident. 

“Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” SentinelOne said, adding that there are ties between AcidRain and VPNFilter, a modular malware that the FBI, NSA, CISA and others have attributed to Russian threat actors. 

Last week, US Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger said the US is “carefully looking” into who is behind the hack.

“We have not yet attributed that attack, but we’re carefully looking at it because… of the impact not only in Ukraine, but also in satellite communication systems in Europe as well,” Neuberger said during a press briefing.

SentinelOne noted that AcidRain is the 7th known wiper malware associated with the Russian invasion of Ukraine.

WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero are all versions of wiper malware seen used against Ukrainian governmental organizations since February.