Russian Wiper Malware behind recent Cyberattack on Viasat KA-SAT Modems
Reading Time: 2 minutes

Russian wiper malware is the likely culprit behind the recent cyberattack on Viasat KA-SAT Modems.

SentinelOne in a report mentioned, the bad actors managed to knock out Viasat KA-SAT modems offline temporarily on February 24, 2022, This is the same day Russian forces invaded Ukraine, and it’s most likely because of the wiper malware

The US telecom company in its investigations revealed the attack on KA-SAT network was a multifaceted and deliberate cyberattack. This led to the “ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”

The bad actors gained access and triggered destructive command on tens of thousands of Viasat modems. Leading to overwriting the key data in flash memory on the modems, rendering the modems unable to access the network, though temporarily.

SentinelOne in its report stated they discovered a new piece of malware on March 15. It throws fresh light on the entire incident where the adversaries were able to gain control over KA-SAT modem by delivering the wiper dubbed as AcidRain to routers and achieve scalable disruption.
According to researchers Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain wiper is a 32-bit MIPS ELF executable, it performs an in-depth wipe of the filesystem and various known storage device files.

They further added, “If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem.”
On completion of the wiping process, the device is rebooted to render inoperable. AcidRain is an addition to others uncovered since the start of the year, which includes WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero with connection to the Russia – Ukraine war.
The researchers have also revealed a code overlap with a third-stage plugin (“dstr”) used in attacks involving a malware family called VPNFilter. This can be attributed to the Russian Sandworm (aka Voodoo Bear) group.

Intelligence agencies from the UK and the US earlier in Feb 2022 revealed a VPNFilter successor, a replacement framework called Cyclops Blink.
Viasat in a statement shared with Ars Technica confirmed the data destroying malware was deployed on modems using “legitimate management” commands but has refrained from sharing further details citing an ongoing investigation.

Related Articles:
Bored Ape Yacht Club’s Discord Channel Hacked
Apple Releases macOS, iOS, iPadOS patches for ‘exploited’ security bugs
Security Patch Released – Critical Zero-Day Bug in Java Spring Framework