Critical Infrastructure Security, Governance, Risk and Compliance, Threat Management

SentinelOne finds ties between Viasat hack and Russian actor

Ukrainian servicemen hold a national Ukrainian flag and a cross during the funeral ceremony on March 17, 2022 in Lviv, Ukraine. (Photo by Alexey Furman/Getty Images)

A day after Viasat offered an explanation for a cyberattack causing widespread outages of its equipment at the start of the invasion of Ukraine — just as the Ukrainian military would be leaning on the satellite internet service the most — researchers at SentinelOne offered a contradictory explanation involving wiper malware with significant overlaps to the Russian VPNFilter.

Viasat's KA-SAT network saw significant outages starting on Feb. 24 when operators noticed their satellite modems had been rendered inoperable. It was the most significant apparent cyberattack believed to correspond with the Russian war effort, though six additional sets of wiper attacks, most notably WhisperGate and HermeticWiper, have also been seen in Ukraine since the build-up to the war.

On Wednesday, Viasat wrote in a blog post that it had found "no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference" in the attack. Instead, it said, an attacker had used internal "network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."

In an exhaustive blog post, SentinelOne said it had found malware likely designed to wipe modems — contradicting the legitimate commands explanation from Viasat.

Juan Andres Guerrero-Saade, one of the researcher behind the SentinelOne report, said even before identifying the likely malware culprit, the Viasat explanation did not make logical sense. He called for Viasat to release more details if they stood by their original explanation.

"I doubt there's any legitimate commands that would overwrite the flash memory of the routers unless you're pushing an update or a binary, which is what they say did not happen. And if that's being done from the management section, that is a supply chain attack, which they also said did not happen," he told SC Media.

Instead, said Guerrero-Saade, a more likely explanation was that the modems were wiped using malware SentinelOne discovered in VirusTotal.

The wiper, which SentinelOne is dubbing "AcidRain," is an ELF 32-bit MSB executable using MIPS uploaded to VirusTotal as Ukrops. SentinelOne discovered the binary looking into the Viasat claims, because the MIPS Elf binaries are a rare find on VirusTotal.

Researchers have documented the state Viasat modems' storage was left in after the cyberattack. AcidRain would leave those modems in an identical state. The wiper overwrites seven sections of storage relevant to IoT devices with decremented data. It is written generally enough that the wiper could be reused in other circumstances after this use.

AcidRain shows overlaps with VPNFilter, malware the FBI linked to the Russian Sandworm APT. There have not been any formal public attributions connecting any of the cyberattacks in Ukraine to Russia, and Guerro-Saade cautions that code overlap is not a strong enough connection to make a formal attribution in this case. But it is one of the more substantial connections found so far between the invading nation and the attacks.

"The connections are not trivial. They are significant," said Guerro-Saade.

The Viasat attack saw some of the most widespread spillover of any cyberattack during the war, affecting modems throughout Europe, including nearly 6,000 wind turbines in Germany. While cyberattacks have been muted in comparison to what Russia has unleashed against Ukraine in the past, potential attacks that may eventually be attributed to Russia are non-negligible.

The Ukrop name seen on the binary could refer to a number of things, according to SentinelOne. It could simply be a shortening of "Ukrainian Operation," a reference to the Ukrainian Association of Patriots or an anglicization of the Russian ethnic slur against Ukranians Укроп. "I hope it's Ukrainian operation," said Guerro-Saade.

AcidRain would be the seventh wiper associated with the invasion of Ukraine.

The FBI and the Cybersecurity and Infrastructure Security Agency have warned United States enterprises to prepare for similar wiper attacks and steel critical infrastructure defenses against other potential Russian aggression.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.