Viasat—the high-speed-satellite-broadband provider whose modems were knocked out in Ukraine and other parts of Europe earlier this month—has confirmed a theory by third-party researchers that new wiper malware with possible ties to the Russian government was responsible for the attack.
In a report published Thursday, researchers at SentinelOne said they uncovered the new modem wiper and named it AcidRain. The researchers said AcidRain shared multiple technical similarities to parts of VPNFilter, a piece of malware that infected more than 500,000 home and small-office modems in the US. Multiple US government agencies—first the FBI and later organizations including the National Security Agency—have all attributed the modem malware to Russian state threat actors.
Enter ukrop
SentinelOne researchers Juan Andres Guerrero-Saade and Max van Amerongen posited that AcidRain was used in a cyberattack that sabotaged thousands of modems used by Viasat customers. Among the clues they found was the name “ukrop” for one of AcidRain’s source binaries.
While SentinelOne said it couldn’t be sure its theory was correct, Viasat representatives quickly said that the theory was. Viasat also said that the finding was consistent with a brief overview the company published on Wednesday.
Viasat wrote:
The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report—specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described. As noted in our report: “the attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”
AcidRain is the seventh distinct piece of wiper malware associated with Russia’s ongoing invasion of Ukraine. Guerrero-Saade and van Amerongen said AcidRain is an executable file for MIPS, the hardware architecture for the modems used by Viasat customers. The malware was uploaded to VirusTotal from Italy and bore the name “ukrop.”
“Despite what the Ukraine invasion has taught us, wiper malware is relatively rare,” the researchers wrote. “More so wiper malware aimed at routers, modems, or IoT devices.”
The researchers soon found “non-trivial” but ultimately “inconclusive” developmental similarities between AcidRain and a “dstr,” the name of a wiper module for VPNFilter. The resemblances included a 55 percent code similarity as measured by a tool known as tlsh, identical section header strings tables, and the “storing of the previous syscall number to a global location before a new syscall.”
“At this time, we can’t judge whether this is a shared compiler optimization or a strange developer quirk,” the researchers said.
One mystery solved, more remain
The Viasat statement indicates that the speculation was spot on.
Viasat’s overview from Wednesday said that the hackers behind the destructive attack gained unauthorized access to a trust-management segment of the company’s KA-SAT network by exploiting a misconfigured VPN. The hackers then expanded their reach to other segments that allowed them to “execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
How the threat actors gained access to the VPN is still unclear.
Also on Thursday, independent security researcher Ruben Santamarta published an analysis that uncovered several vulnerabilities present in some of the firmware that runs on the SATCOM terminals disrupted in the attack. One was a failure to cryptographically validate new firmware before installing it. Another is “multiple command injection vulnerabilities that can be trivially exploited from a malicious ACS.”
ACS appears to refer to a mechanism known as auto configuration servers found in a protocol used by the modems.
“I am not saying that these issues were actually abused by the attackers, but certainly it does not look good,” Santamarta wrote. “Hopefully, these vulnerabilities are no longer present in the newest Viasat firmware, otherwise that would be a problem.”
As is clear, plenty of mysteries still surround the disabling of the Viasat modems. But the confirmation that AcidRain was the payload responsible is an important breakthrough.
“I’m glad Viasat concurred with our findings on AcidRain,” Guerrero-Saade wrote in a private message. “I hope they’ll be able to share more of their findings. There’s a lot more to figure out in this case.”