One of the latest major cyberattacks that disabled tens of thousands Viasat satellites broadband models a few weeks ago is most likely associated with the VPNFilter malware, attributed to Russia. The conclusion comes from SentinelOne.
SentinelOne’s Take on the Attack against Viasat
What happened? On February 24, when Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were knocked offline unexpectedly, causing wind turbines in Germany to lose satellite internet connectivity and interfering with monitoring and control.
Viasat recently released a statement that provides some description of the attack, even though insufficient. The company explained that the intruder explored its internal network until they could instruct their subscribers to overwrite the flash storage of modems, which required factory reset of the equipment.
More specifically, the attackers’ destructive commands overwrote key data in flash memory on the modems, making the modems unable to access the network, but not permanently unusable. However, the company hasn’t specified how the modems were overwritten in the first place. SentinelOne researchers provide an explanation, which is as close to the truth as possible. The cybersecurity firm believes that the intrusion was possible thanks to a wiper malware (which SentinelOne called AcidRain) deployed to the said devices via a malicious firmware update from Viasat’s compromised backend. The conclusion stems from a suspicious MIPS ELF binary, called ukrop and uploaded to VirusTotal on March 15.
Here’s what SentinelOne says:
On Tuesday, March 15th, 2022, a suspicious upload caught our attention. A MIPS ELF binary was uploaded to VirusTotal from Italy with the name ‘ukrop’. We didn’t know how to parse the name accurately. Possible interpretations include a shorthand for “ukr”aine “op”eration, the acronym for the Ukrainian Association of Patriots, or a Russian ethnic slur for Ukrainians – ‘Укроп’. Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident.
What happened next in the attack? The threat actor deployed the KA-SAT management mechanism in a supply-chain attack, and pushed a wiper specifically designed to target modems and routers. “A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing,” SentinelOne added. Their suggestion is that the ukrop executable, which they named AcidRain, could perform the needed tasks.
Viasat later confirmed that SentinelOne’s hypothesis is “consistent with the facts” in their report.
While SentinelOne cannot definitively tie AcidRain to VPNFilter, they note “a medium-confidence assessment of non-trivial developmental similarities between their components,” also expressing hope that the research community will continue to contribute their findings in the spirit of collaboration.