Russian Wiper Malware May be Behind the Recent Cyberattack on Viasat KA–SAT Modems

Viasat KA-SAT-modems News

The cyberattack aimed at Viasat that temporarily knocked KA-SAT modems offline on February 24, 2022, the same day Russian military forces invaded Ukraine, is believed to have been the consequence of wiper malware, according to the latest research from SentinelOne.

The findings were made after the U.S. telecom firm disclosed it had been the victim of a “multifaceted and deliberate” cyberattack on its KA–SAT network. It was linked to a ground-based network intrusion, where an attacker used a VPN appliance configuration error to gain remote access the trusted management section of the KA–SAT network. “

Upon accessing modems from the satellite broadband service, an adversary sent “destructive orders” to tens to thousands of modems. The commands “overwrote key information in flash memory, rendering modems unusable but not permanently.” “

But SentinelOne said it uncovered a new piece of malware (named “ukrop”) on March 15 that casts the entire incident in a fresh light – a supply chain compromise of the KA-SAT management mechanism to deliver the wiper, dubbed AcidRain, to the modems and routers and achieve scalable disruption.

AcidRain is fashioned as a 32-bit MIPS ELF executable that “performs an in-depth wipe of the filesystem and various known storage device files,” researchers Juan Andres Guerrero-Saade and Max van Amerongen said. AcidRain will perform an initial recursive deletion and overwrite of any non-standard file in the filesystem if the code runs as root. “

After the wiping is completed, the device must be rebooted in order to make it unusable. This makes AcidRain the seventh wiper strain to be uncovered since the start of the year in connection with the Russo-Ukrainian war after WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.

A further analysis of the wiper sample revealed an “interesting code overlap” with a third-stage plugin (“dstr”) that was used in attacks against a malware family known as VPNFilter. This has been linked to the Russian Sandworm, also called Voodoo Bear.

In late February 2022,, the U.K. National Cyber Security Centre and U.S Cybersecurity and Infrastructure Security Agency(CISA) and the Federal Bureau of Investigations (FBI), revealed a replacement for VPNFilter. They called it Cyclops Blink.

However, it is still not clear how the threat actors obtained access to the VPN. Viasat shared a statement with The Hacker News confirming that malware capable of destroying data was deployed to modems by using legitimate management commands. However, it declined to share further information due the ongoing investigation.

The entire statement from the company is as follows –

The facts provided in the Viasat Incident Report yesterday are accurate. The analysis in the SentinelLabs report regarding the ‘ukrop’ binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.

As noted in our report: “the attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. “

Additionally, we don’t view this as a supply chain attack or vulnerability. As we noted, “Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack.” Furthermore, there is no evidence to suggest that end-user data were accessed or compromised. “

Due to the ongoing investigation and to ensure the security of our systems from ongoing attack, we cannot publicly share all forensic details of the event. Through this process, we have been, and continue to cooperate with various law enforcement and government agencies around the world, who’ve had access to details of the event.

We expect we can provide additional forensic details when this investigation is complete.

Rate author