Modem-erasing malware was behind the Viasat cyberattack

Satellite operator Viasat has confirmed that destructive malware was behind problems with end-user modems in Ukraine and parts of Europe on the day Russia invaded Ukraine.

SentinalLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen detailed their discovery of a destructive new malware variant they call “AcidRain” – a Linux File Format (ELF) binary designed to wipe out modems and routers – which they claim knocked out thousands of Vistas. KA-SAT routers on February 24.

AcidRain is the latest destructive malware discovered since the February 24 invasion of Russia, including WhisperGate, HermeticWiper, CaddyWiper, IssacWiper, and DoubleZero.

According to SentinalLabs, AcidRain shares some similarities with the Stage 3 component of VPNFilter – the malware that Ukraine blocked in 2018 fearing an attack on its critical infrastructure and which prompted the FBI that year to tell everyone world to reboot its routers to remove the malware.

The security firm released its findings on AcidRain on the heels of Viasat’s March 30 story of the February outage, which preceded an outage of German energy company Enercon’s remote communications system at 5,800 wind turbines.

Viasat at the time confirmed that the attack was not on the satellite network itself but was a denial of service attack on SurfBeam2 and SurfBeam2+ modems located in Ukraine which took KA-SAT modems offline.

Viasat said yesterday that the attack was localized to a single consumer-facing partition of the KA-SAT network operated on behalf of Viasat by Eutelsat subsidiary Skylogic. This had no impact on mobility managed directly by Viasat or government users on the KA-SAT satellite, nor on users of other Viasat networks, he said.

The company noted that “destructive commands overwrite key data in the modems’ flash memory, rendering the modems unable to access the network, but not permanently unusable.”

Viasat also said the attackers exploited a misconfigured VPN device to gain remote access to access the management segment of the KA-SAT network, then switched to a part used to manage and operate the network, before executing “legitimate and targeted management commands” on the home network. modems.

SentinalLabs researchers came up with another idea: a supply chain attack, where attackers somehow used a KA-SAT management mechanism to push the wiper to modems. and targeted routers.

“The threat actor used the KA-SAT management mechanism in a supply chain attack to push a wiper designed for modems and routers. A wiper for this type of device would overwrite data keys from the modem’s flash memory, rendering it unusable and in need of reflashing or replacing,” notes SentinalLabs.

SentinalLabs researchers spotted a MIPS ELF binary with the name “ukrop” on VirusTotal that was uploaded on March 15.

“Only those involved in the Viasat case could say with certainty whether it was in fact the malware used in this particular incident,” they add.

A Viasat spokesperson told ZDNet that the facts in SentinalLabs’ report were accurate and consistent with its own report, but Viasat disagrees that it was an attack by the supply chain.

“The facts provided in Viasat’s incident report yesterday are accurate. The SentinelLabs report’s analysis of the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command like Viasat previously described.”

“We do not consider this to be an attack or a supply chain vulnerability,” the spokesperson said.

According to Viasat’s Thursday report: “Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack.” Additionally, “there is no evidence that any end-user data was accessed or compromised.”

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently warned all SATCOM operators and their customers to review their guidelines for protecting against attacks on satellite networks and Very Small Aperture Terminal (VSAT) networks.

Leave a Comment