Tens of thousands of Viasat satellite broadband modems that were disabled in a cyber-attack late last month were wiped by malware with links to the Russian government’s destructive VPNFilter, according to SentinelOne.
On February 24, as Russian troops invaded Ukraine, Viasat terminals in Ukraine and Europe were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, among other things, thousands of wind turbines in Germany to lose satellite internet connectivity needed for remote monitoring and control.
Earlier this week, Viasat provided some details about the security incident: it blamed a poorly configured VPN appliance, which allowed an attacker to access a trusted management segment of Viasat’s KA-SAT satellite network.
The broadband provider said the intruder explored its internal network until they were able to instruct subscribers’ modems to overwrite the devices’ flash storage, requiring a factory reset to restore the equipment. We were told:
How exactly these modems had their memory overwritten wasn’t said. According to the research arm of SentinelOne, though, it may have been wiper malware deployed to the devices as a malicious firmware update from Viasat’s compromised backend. This conclusion is based on a suspicious-looking MIPS ELF binary named “ukrop” that was uploaded to VirusTotal on March 15.
“Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident,” SentinelLabs’ Juan Andres Guerrero-Saade and Max van Amerongen wrote on Thursday.
After analyzing Viasat’s “somewhat plausible but incomplete” explanation of the cyber-attack, the two researchers came up with an hypothesis:
The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.
Viasat did not provide technical indicators-of-compromise nor a full incident response report, the researchers noted. Instead, the satellite biz said malicious commands disrupted modems in Ukraine and other European countries. The SentinelLabs duo questioned how legitimate commands could cause this level of modem chaos. “Scalable disruption is more plausibly achieved by pushing an update, script, or executable,” the researchers said.
They suggest the newly discovered malware, which they dubbed AcidRain, could do the trick.
And it turns out, SentinelOne was correct. In a statement, Viasat said the researchers’ hypothesis “is consistent with the facts in our report … SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.”
Once pushed to and running on a SATCOM modem, the malware took a fairly brute-force approach to wiping the device’s storage memory, which SentinelLabs says could mean that whoever deployed the software nasty wasn’t very familiar with the firmware on the Viasat gateways — or they wanted to keep AcidRain generic enough so they can reuse it against other equipment.
“If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,” Guerrero-Saade and van Amerongen wrote.
Next, AcidRain tried to destroy data on any present SD cards, flash memory, virtual block devices, and other resources. It either overwrote device files with up to 262,144 bytes of data, or it used a system call for device-specific input/output operations to erase information.
Finally, the malware ran an fsync system call to ensure its changes were committed. AcidRain rebooted the device once it completed its data wiping processes, and “this results in the device being rendered inoperable,” the researchers wrote.
This makes AcidRain the seventh publicly known wiper associated with the Russian invasion of Ukraine. But recent history aside, wiper malware is pretty rare, and wipers aimed at routers, modems, or IoT devices is even more unusual, SentinelLabs admitted.
VPNFilter connection?
There is a notable exception, however, and that’s the 2018 VPNFilter malware developed by the Kremlin-linked Sandworm crew. Discovered by Cisco’s Talos unit, this software nasty targeted routers and storage devices.
“The reason we bring up the specter of VPNFilter is not because of its superficial similarities to AcidRain but rather because of an interesting (but inconclusive) code overlap between a specific VPNFilter plugin and AcidRain,” the SentinelLabs pair wrote.
The tlsh fuzzy hashing matching library puts the VPNFilter plugin and AcidRain sample similarity at 55 percent. Additionally, both VPNFilter and AcidRain are MIPS ELF binaries, and “the bulk of their shared code appears to stem from statically-linked libc,” the security shop explained, adding that the malware may also share a compiler. Plus, they both use MEMGETINFO, MEMUNLOCK, and MEMERASE system calls to erase mtd device files. AcidRain clearly targets Linux-flavored devices powered by MIPS processors.
VPNFilter and AcidRain have “notable differences,” the SentinelLabs researchers wrote. AcidRain “appears to be a far sloppier product that doesn’t consistently rise to the coding standards of the former,” Guerrero-Saade and van Amerongen said, noting the newer binary’s repetition and redundant use of process forking.
While AcideRain used brute force, which may allow it to be re-used successfully on multiple device models, VPNFilter took a more targeted approach to devices with hardcoded paths.
“While we cannot definitively tie AcidRain to VPNFilter (or the larger Sandworm threat cluster), we note a medium-confidence assessment of non-trivial developmental similarities between their components,” the researchers concluded.
They also urged other security researchers to “continue to contribute their findings in the spirit of collaboration that has permeated the threat intelligence industry over the past month.” ®