A significant cyberattack targeted Viasat on February 24, 2022, the same day Russian forces initiated their invasion of Ukraine. This assault temporarily disabled KA-SAT modems and is attributed to wiper malware, as reported by SentinelOne’s recent findings.
The attack was disclosed shortly after Viasat identified it as a deliberate, multifaceted cyber assault on its KA-SAT network. Reports indicate that an attacker exploited a misconfiguration in a VPN appliance to gain unauthorized remote access to critical components of the KA-SAT infrastructure, leading to widespread disruption.
Once inside the network, the attacker executed “destructive commands” across tens of thousands of modems, overwriting critical data stored in flash memory. While this rendered the modems unable to connect to the network temporarily, they were not permanently damaged.
Further investigation by SentinelOne revealed a new malware variant named “ukrop,” which appears to have compromised the KA-SAT management infrastructure to deploy a significant wiper component known as **AcidRain**. This new wiper, which is structured as a 32-bit MIPS ELF executable, is capable of thoroughly erasing filesystem data and specifically targeting known files on storage devices.
AcidRain’s execution involves rebooting the device post-wipe, rendering it inoperative. With this incident, AcidRain marks the seventh wiper strain related to the ongoing conflict between Russia and Ukraine, joining other strains including WhisperGate and HermeticWiper.
Further analysis has shown intriguing overlaps in code with a plugin used in the notorious VPNFilter malware, which has connections to the Russian threat group Sandworm. Following the attack, multiple U.S. and U.K. cybersecurity agencies, including CISA and the NCSC, alerted the public about a successor called Cyclops Blink.
Despite the ongoing investigation, specifics regarding how the attackers accessed the VPN remain unclear. A statement from Viasat confirmed the use of data-destroying malware but withheld further information due to the active investigation. The company clarified that the malware operated through legitimate management commands, emphasizing no standard software distribution processes were compromised during the attack.
Viasat’s full statement affirms that their incident report and SentinelOne’s findings are consistent, acknowledging the attacker’s lateral movement within the management network to execute commands across numerous residential modems simultaneously.
As cybersecurity continues to evolve, the implications of this incident highlight the critical need for robust security measures and the understanding of potential adversary tactics within the MITRE ATT&CK framework. Initial access techniques like misconfigurations and privilege escalation are among the tactics likely employed in this attack, underscoring the importance of continuous vigilance in cybersecurity protocols.
