Last month’s massive Viasat satellite internet outage has been connected to malware capable of wiping data from modems and routers.
Cybersecurity firm SentinelOne says it spotted a malware sample that was likely used during the Feb. 24 Viasat hack, which disrupted internet service. The malware, dubbed AcidRain, is a Unix executable program designed to target devices built with the MIPS architecture.
SentinelOne noticed the malware after a sample of AcidRain was uploaded to malware-detection service VirusTotal on March 15. The same sample came from Italy, where SkyLogic, the Viasat operator managing the affected network, is also based. In addition, the malware sample was labeled with the name “ukrop,” a possible reference to Ukraine Operation.
SentinelOne also examined AcidRain and found it can perform “an in-depth wipe of the filesystem and various known storage device files” on an infected modem. The malware will then trigger a reboot, leaving the device inoperable.
The security firm issued the report a day after Viasat provided more details about the Feb. 24 outage, which occurred right as Russia began to invade Ukraine. The disruption caused thousands of users in Ukraine and tens of thousands more across Europe to temporarily lose internet access.
Viasat’s investigation found the hackers behind the incident exploited a misconfigured VPN device to gain remote access to the satellite internet infrastructure, and then used “legitimate, targeted management commands” across a large number of modems to knock them offline.
However, Viasat’s investigation made no mention of any data-wiping malware. Instead, the company’s report pointed to “destructive commands” overwriting key data in flash memory on the affected modems, rendering them useless.
Still, Viasat isn’t denying SentinelOne’s findings about AcidRain. In a statement, the satellite internet provider said: “The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report—specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.”
It's unclear why Viasat didn’t mention the presence of the data-wiping malware is, but it noted: “Due to the ongoing investigation and to ensure the security of our systems from ongoing attack, we cannot publicly share all forensic details of the event. Through this process, we have been, and continue to cooperate with various law enforcement and government agencies around the world, who've had access to details of the event.”
AcidRain represents at least the seventh data-wiping malware strain to target IT systems related to Ukraine. The attacks have been targeting numerous companies in the country since during and before Russia’s invasion.
The report from SentinelOne noted AcidRain does have some similarities with another malware strain from 2018 dubbed VPNFilter, which the US suspects came from Russian state-sponsored hackers. "We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin,” SentinelOne added. Reportedly, US intelligence also suspects the hack on Viasat came from Russian military spies.
“We posit that there are noteworthy developmental traits connecting this VPNFilter plugin and AcidRain but do our best not to overhype that idea,” tweeted SentinelOne researcher Juan Andres Guerrero‑Saade. “It's a hypothesis in need of stress testing and we invite the research community to take a look and share their findings.”