- Researchers have linked a newly discovered Russian wiper malware to the sophisticated cyberattack against the Viasat KA-SAT network in late February, as Russia invaded Ukraine.
- SentinelOne researchers said the malware, which it calls AcidRain, is designed to erase data from modems and routers and would be the seventh form of wiper malware linked to the Russian attack against Ukraine.
- The attack disrupted service to several thousand satellite broadband customers in Ukraine and tens of thousands of fixed broadband customers across Europe, according to Viasat.
Viasat earlier this week said the attack was localized to a consumer-oriented part of the KA-SAT network operated by Skylogic, a unit of Eutelsat.
The attacks began on Feb 24, when high volumes of malicious traffic were found in SurfBeam2 and SurfBeam2+ modems and customer equipment in Ukraine, according to Viasat.
An investigation showed a ground-based attack exploited a misconfigured VPN appliance and gained access to a trusted management segment of the KA-SAT network, and then began executing commands to overwrite data in flash memory. The modems were unable to access the network, but not permanently damaged.
Researchers for SentinelOne, however, said the Viasat explanation did not entirely explain what happened and argued the threat actor used the KA-SAT management mechanism as part of a supply chain attack.
"In our estimation, the primary goal of the attacker was to render modems inoperable for an entire swath of customers," Juan Andres Guerrero-Saade, told Cybersecurity Dive via email. "Given the timing, it's easier to assume that they intended to hit aspects of military command and control in Ukraine."
He pointed to the impact on thousands of wind turbines operated by Germany's Enercon as a likely spillover from the attack.
A separate security researcher, Ruben Santamarta, has also examined how the threat actor exploited the SurfBeam modems
Enercon is still investigating the damage to its hardware, according to a spokesperson. About 85% of the affected turbines are back online.
The research underscores a warning from the FBI and the Cybersecurity and Infrastructure Security Agency about possible cyber attacks against satellite communications providers.
A spokesperson for Mandiant confirmed the company is working with Viasat to investigate the attack, but provided no details.
What remains unclear is whether the Biden administration has officially attributed the attack to any particular threat actor or nation-state.
Biden previously warned that an attack against U.S. critical infrastructure would lead to a U.S. response. However, because this attack was directed at Ukraine and impacted European customers it is not clear whether or how the U.S. or NATO might respond.
CISA referred questions about attribution to the National Security Council. NSC officials did not immediately respond.