Viasat’s satellites in Europe were taken offline by Kremlin-associated malware

Viasat’s satellites in Europe were taken offline by Kremlin-associated malware
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter: @Gadget_Ry

A satellite broadband outage impacting thousands of customers in Ukraine and across Europe was the result of malware linked to the Russian government.

The outage occurred on 24 February 2022. That date has sadly gone down in history as the day Russia decided to launch its invasion of Ukraine—causing tens of thousands of deaths on both sides, displacing around 6.5 million people within the country, and leading to an estimated 4.1 million refugees.

Given the timing, the outage was always suspected to be linked to Russia’s invasion.

Viasat explained in a blog post earlier this week that the outage was localised to “a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic”.

The satellite broadband operator said it immediately undertook actions to stabilise and secure the network and the issue was largely rectified within hours and fully in several days.

Viasat is still working with a number of international agencies to investigate the cyberattack but says it identified “a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”

The attacker used their access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. The destructive commands rendered the modems unable to access the network by overwriting key data in flash memory on the units.

Cybersecurity firm SentinelOne undertook a deeper analysis of the cyberattack.

SentinelOne said that Viasat’s statement “provides a somewhat plausible but incomplete description of the attack” and that “spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.”

The cybersecurity firm discovered an ELF MIPS malware designed to wipe modems and routers was used for the attack. The company has called the malware AcidRain.

“We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government,” explained SentinelLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen.

Viasat has since confirmed that SentinelOne’s research was consistent with its own findings that a “destructive executable” was “run on the modems using a legitimate management command”.

The spillover of the cyberattack that impacted wind turbines in Germany is particularly concerning. Had it hit something more critical, there could have been a serious escalation. NATO has been clear that a cyberattack on a member could trigger a collective response from the alliance.

SentinelOne notes that AcidRain is the seventh wiper malware associated with Russia’s invasion of Ukraine.

Related: SpaceX sends more Starlink terminals to Ukraine but experts warn of targeting

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.