A satellite broadband outage impacting thousands of customers in Ukraine and across Europe was the result of malware linked to the Russian government.
The outage occurred on 24 February 2022. That date has sadly gone down in history as the day Russia decided to launch its invasion of Ukraine—causing tens of thousands of deaths on both sides, displacing around 6.5 million people within the country, and leading to an estimated 4.1 million refugees.
Given the timing, the outage was always suspected to be linked to Russia’s invasion.
Viasat explained in a blog post earlier this week that the outage was localised to “a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic”.
The satellite broadband operator said it immediately undertook actions to stabilise and secure the network and the issue was largely rectified within hours and fully in several days.
Viasat is still working with a number of international agencies to investigate the cyberattack but says it identified “a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”
The attacker used their access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. The destructive commands rendered the modems unable to access the network by overwriting key data in flash memory on the units.
Cybersecurity firm SentinelOne undertook a deeper analysis of the cyberattack.
SentinelOne said that Viasat’s statement “provides a somewhat plausible but incomplete description of the attack” and that “spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.”
The cybersecurity firm discovered an ELF MIPS malware designed to wipe modems and routers was used for the attack. The company has called the malware AcidRain.
“We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government,” explained SentinelLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen.
Viasat has since confirmed that SentinelOne’s research was consistent with its own findings that a “destructive executable” was “run on the modems using a legitimate management command”.
The spillover of the cyberattack that impacted wind turbines in Germany is particularly concerning. Had it hit something more critical, there could have been a serious escalation. NATO has been clear that a cyberattack on a member could trigger a collective response from the alliance.
SentinelOne notes that AcidRain is the seventh wiper malware associated with Russia’s invasion of Ukraine.
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.