Russian Wiper Malware Is Possibly Responsible for Recent Cyberattack on Viasat KA-SAT Modems

Image Courtesy: Reuters

The strike on Viasat that temporarily took KA-SAT modems offline on February 24, 2022, the same day Russian military troops invaded Ukraine, was the product of wiper malware, according to SentinelOne's latest study.

The findings come as the US telecom company revealed that it had been the victim of a "multifaceted and deliberate" cyberattack against its KA-SAT network, which was linked to a "ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network's trusted management segment."

After obtaining access, the attacker transmitted "destructive commands" to tens of thousands of satellite broadband modems, which "overwrote vital data in flash memory on the modems, rendering the modems inoperable but not permanently unusable."

SentinelOne, on the other hand, announced on March 15 that it identified a new piece of malware that sheds new light on the entire incident — a supply chain penetration of the KA-SAT management mechanism to distribute the wiper, nicknamed AcidRain, to the modems and routers and accomplish scaling disruption.

AcidRain is a 32-bit MIPS ELF programme that "performs an in-depth wipe of the filesystem and several known storage device files," according to researchers Juan Andres Guerrero-Saade and Max van Amerongen. "If the code is run as root, AcidRain does an initial recursive overwrite and delete of non-standard files in the filesystem."

Image Courtesy: The Hacker News

When the wiping process is complete, the device is rebooted, rendering it inoperable. After WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero, AcidRain is the seventh wiper strain revealed in relation to the Russo-Ukrainian war since the beginning of the year.

Further investigation of the wiper sample discovered an "interesting" code overlap with a third stage plugin ("dstr") used in VPNFilter malware family assaults, which has been linked to the Russian Sandworm (aka Voodoo Bear) organisation.

In late February 2022, intelligence services from the United Kingdom and the United States announced Cyclops Blink, a new framework for VPNFilter.

However, it is unclear how the threat actors acquired access to the VPN. In a statement provided with Ars Technica, Viasat confirmed that data-destroying malware was delivered on modems via "legitimate management" commands, but has refrained from releasing further specifics due to an ongoing investigation.