According to IT security firm SentinelOne, tens of thousands of broadband modems that were taken out of service in a cyberattack on US provider Viasat and its KA-Sat network for satellite internet in February, parallel to Russia's armed incursion into Ukraine, have fallen victim to wiper malware . This type of malware, designed to permanently render data on an infected device unusable, is said to be linked to the destructive VPNFilter botnet located in Russia.
The massive cyber attack, which had been prepared for a long time, paralyzed the terminals of tens of thousands of customers of the Eutelsat subsidiary Skylogic in Europe, for which Viasat operates the KA-Sat network. As a result of the incident, which was apparently primarily intended to cut off customers in the Ukraine from satellite Internet, the operation of around 5,800 Enercon wind turbines was also severely restricted in Germany as "collateral damage".
Vulnerable VPN lets attackers in
Viasat announced details of the outage on Wednesday. The company essentially blamed a poorly configured VPN application that allowed an intruder to access a trusted management segment of the KA-Sat network. Experts had previously assumed that the disruptions could only be explained by an attack on Viasat's central Network Operation Center (NOC). The willful hackers probably managed to install a defective firmware update on the terminals.
Viasat now explained that the unknown attacker had explored the internal network. He was able to instruct Skylogic customers' modems to overwrite their flash memory. At least a factory reset was then required to restore the normal function of the devices.
The intruder moved to a specific segment within the trusted management network used to control and operate KA-Sat, Viasat said. This privileged access was misused to "simultaneously execute legitimate, targeted administrative commands on a large number of private modems".
Malicious firmware update injected
Important data in memory was overwritten with these "destructive instructions," the statement said. The terminals would no longer have been able to access the network, but had not become permanently unusable. Nevertheless, Viasat says it has now sent around 30,000 modems to sales partners in order to bring subscribers back online.
Viasat left it open how exactly the memory was overwritten. IT security researchers Juan Andres Guerrero-Saade and Max van Amerongen from SentinelOne filled this gap on Thursday. According to them, it was a wiper malware that was installed on the devices as a defective firmware update from the compromised Viasat backend. This conclusion is based on a suspicious-looking MIPS-ELF binary named "ukrop" that was uploaded to VirusTotal on March 15th.
Viasat has now confirmed to the specialist portal BleepingComputer that "the analysis in the SentinelLabs report about the Ukrop binary corresponds to the facts in our report". According to SentinelOne, a total of seven relevant, tendentially particularly destructive types of malware have been known since the beginning of 2022 that target systems in Ukraine: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.
The researchers also assume "with a medium degree of certainty" that "there are similarities in development" between AcidRain and a destructive plugin of the botnet malware VPNFilter. In 2018, the FBI and the US Department of Justice attributed this malware from the so-called sandworm cluster, which at times infected around 500,000 routers and servers, to the Russian government. Overall, AcidRain seems to be "a far more sloppy product" compared to the more targeted role model.