Viasat satellite internet modems hit by wiper malware
Viasat has confirmed that modems for its KA-SAT satellite internet service were affected by AcidRain in February. That is a newly discovered wiper malware designed to delete files.
The attack with AcidRain is explained by SentinelLabs researchers and the findings were later confirmed by Viasat. That’s what the company did opposite Bleeping Computer. AcidRain was discovered on March 15, after a sample of the malware was uploaded to VirusTotal from an Italian IP address. The AcidRain malware sample on VirusTotal was named ‘ukrop’. SentinalLabs’ hypothesis is that this stands for ‘Ukraine Operation’, yet the researchers say this has not been confirmed.
Viasat wrote earlier this week that its network was affected via a misconfigured VPN device, after which hackers were allowed to access the trust management segment of Viasat’s KA-SAT network. That access was used to run a ‘destructive executable’ on the modems, with a ‘legitimate control command’, Viasat said.
That destructive executable is AcidRain, writes SentinelLabs, who also explains how the wiper malware works. The malware wipes the file system and possible attached storage devices on users’ modems. Then AcidRain tries to destroy the files on various storage devices. The malware tries to access different storage media for this. After this, the modem will reboot, after which it will be unusable.
The identity of the perpetrators is not yet known, the SentinelLabs researchers write. The attack on the Viasat network coincided with the beginning of the Russian invasion of Ukraine on February 24. The attack targeted the ground infrastructure of Viasat’s KA-SAT network, which provides satellite internet to European customers. Since the beginning of the war, several wiper malware attacks have been carried out on Ukraine. AcidRain is the seventh example of this, SentinelLabs writes. Analysts from US intelligence agencies would have previously concluded that Russia was behind the attack on Viasat, sources said to The Washington Post.
Storage media targeted by AcidRain (via SentinelLabs) | |
Device | Description |
/dev/sd* | A generic block device |
/dev/mtdblock* | Flash memory (common in routers and IoT devices) |
/dev/block/mtdblock* | Another possible way to access flash memory |
/dev/mtd* | The flash memory device file that supports fileops |
/dev/mmcblk* | For SD or MMC cards |
/dev/block/mmcblk* | Another way to access AD or MMC cards |
/dev/loop* | Virtual block devices |