Home > Cyber News > AcidRain Modem Wiper (Ukrop) Caused the Attack Against Viasat Satellites

AcidRain Modem Wiper (Ukrop) Caused the Attack Against Viasat Satellites

acidrain wiper malware ukraine

One of the latest major cyberattacks that disabled tens of thousands Viasat satellites broadband models a few weeks ago is most likely associated with the VPNFilter malware, attributed to Russia. The conclusion comes from SentinelOne.

SentinelOne’s Take on the Attack against Viasat

What happened? On February 24, when Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were knocked offline unexpectedly, causing wind turbines in Germany to lose satellite internet connectivity and interfering with monitoring and control.

Related Story: Protestware Projects on GitHub Push Pro-Ukraine Ads and Data Wipers

Viasat recently released a statement that provides some description of the attack, even though insufficient. The company explained that the intruder explored its internal network until they could instruct their subscribers to overwrite the flash storage of modems, which required factory reset of the equipment.

More specifically, the attackers’ destructive commands overwrote key data in flash memory on the modems, making the modems unable to access the network, but not permanently unusable. However, the company hasn’t specified how the modems were overwritten in the first place. SentinelOne researchers provide an explanation, which is as close to the truth as possible. The cybersecurity firm believes that the intrusion was possible thanks to a wiper malware (which SentinelOne called AcidRain) deployed to the said devices via a malicious firmware update from Viasat’s compromised backend. The conclusion stems from a suspicious MIPS ELF binary, called ukrop and uploaded to VirusTotal on March 15.

Here’s what SentinelOne says:

On Tuesday, March 15th, 2022, a suspicious upload caught our attention. A MIPS ELF binary was uploaded to VirusTotal from Italy with the name ‘ukrop’. We didn’t know how to parse the name accurately. Possible interpretations include a shorthand for “ukr”aine “op”eration, the acronym for the Ukrainian Association of Patriots, or a Russian ethnic slur for Ukrainians – ‘Укроп’. Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident.

What happened next in the attack? The threat actor deployed the KA-SAT management mechanism in a supply-chain attack, and pushed a wiper specifically designed to target modems and routers. “A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing,” SentinelOne added. Their suggestion is that the ukrop executable, which they named AcidRain, could perform the needed tasks.

Viasat later confirmed that SentinelOne’s hypothesis is “consistent with the facts” in their report.

In conclusion…
While SentinelOne cannot definitively tie AcidRain to VPNFilter, they note “a medium-confidence assessment of non-trivial developmental similarities between their components,” also expressing hope that the research community will continue to contribute their findings in the spirit of collaboration.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree