Skip to main content
close search
site logo
Dive Brief

Viasat network cyberattack linked to newly discovered Russian wiper

Published April 1, 2022
David Jones's headshot
Reporter
Anastasia Vlasova via Getty Images

Dive Brief:

  • Researchers have linked a newly discovered Russian wiper malware to the sophisticated cyberattack against the Viasat KA-SAT network in late February, as Russia invaded Ukraine. 
  • SentinelOne researchers said the malware, which it calls AcidRain, is designed to erase data from modems and routers and would be the seventh form of wiper malware linked to the Russian attack against Ukraine. 
  • The attack disrupted service to several thousand satellite broadband customers in Ukraine and tens of thousands of fixed broadband customers across Europe, according to Viasat.

Dive Insight: 

Viasat earlier this week said the attack was localized to a consumer-oriented part of the KA-SAT network operated by Skylogic, a unit of Eutelsat.

The attacks began on Feb 24, when high volumes of malicious traffic were found in SurfBeam2 and SurfBeam2+ modems and customer equipment in Ukraine, according to Viasat. 

An investigation showed a ground-based attack exploited a misconfigured VPN appliance and gained access to a trusted management segment of the KA-SAT network, and then began executing commands to overwrite data in flash memory. The modems were unable to access the network, but not permanently damaged. 

Researchers for SentinelOne, however, said the Viasat explanation did not entirely explain what happened and argued the threat actor used the KA-SAT management mechanism as part of a supply chain attack.

"In our estimation, the primary goal of the attacker was to render modems inoperable for an entire swath of customers," Juan Andres Guerrero-Saade, told Cybersecurity Dive via email. "Given the timing, it's easier to assume that they intended to hit aspects of military command and control in Ukraine."

He pointed to the impact on thousands of wind turbines operated by Germany's Enercon as a likely spillover from the attack.  

A separate security researcher, Ruben Santamarta, has also examined how the threat actor exploited the SurfBeam modems 

Enercon is still investigating the damage to its hardware, according to a spokesperson. About 85% of the affected turbines are back online. 

The research underscores a warning from the FBI and the Cybersecurity and Infrastructure Security Agency about possible cyber attacks against satellite communications providers. 

A spokesperson for Mandiant confirmed the company is working with Viasat to investigate the attack, but provided no details.  

What remains unclear is whether the Biden administration has officially attributed the attack to any particular threat actor or nation-state. 

Biden previously warned that an attack against U.S. critical infrastructure would lead to a U.S. response. However, because this attack was directed at Ukraine and impacted European customers it is not clear whether or how the U.S. or NATO might respond. 

CISA referred questions about attribution to the National Security Council. NSC officials did not immediately respond.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell