Modem-wiping malware caused Viasat satellite broadband outage in Europe

Tens of thousands of Viasat satellite broadband modems disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia's destructive VPNFilter, according to SentinelOne.

On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, among other things, thousands of wind turbines in Germany to lose satellite internet connectivity needed for remote monitoring and control.

Earlier this week, Viasat provided some details about the outage: it blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat's KA-SAT satellite network.

The broadband provider said this intruder then explored its internal network until they were able to instruct subscribers' modems to overwrite their flash storage, requiring a factory reset to restore the equipment. We were told:

How exactly these modems had their memory overwritten wasn't said. According to the research arm of SentinelOne, though, it may have been wiper malware deployed to the devices as a malicious firmware update from Viasat's compromised backend. This conclusion was based on a suspicious-looking MIPS ELF binary named "ukrop" that was uploaded to VirusTotal on March 15.

"Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident," SentinelOne's Juan Andres Guerrero-Saade and Max van Amerongen wrote on Thursday.

After analyzing Viasat's "somewhat plausible but incomplete" explanation of the cyber-attack, the two researchers came up with this hypothesis:

The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem's flash memory, rendering it inoperable and in need of reflashing or replacing.

Viasat did not provide technical indicators-of-compromise nor a full incident response report, the researchers noted. Instead, the satellite biz said malicious commands disrupted modems in Ukraine and other European countries. The SentinelOne duo questioned how legitimate commands could cause this level of modem chaos. "Scalable disruption is more plausibly achieved by pushing an update, script, or executable," the researchers said. 

They suggest the ukrop executable, which they dubbed AcidRain, could do the trick.

And it turns out, SentinelOne's lab was correct. In a statement, Viasat said the researchers' hypothesis was "consistent with the facts in our report ... SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described."

So, by destructive commands, Viasat meant: modems were commanded by their compromised support servers to run destructive malware.

• Viasat spills on the Russian attack, warns of continued risks
• Cyclops Blink malware sets up shop in ASUS routers
• Expect 'long tail of cyber retaliation' from Russia for sanctions, says ExtraHop CEO
• Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

Once pushed to and running on a SATCOM modem, AcidRain took a fairly brute-force approach to wiping a device's storage memory. SentinelOne said that could mean whoever deployed the software nasty wasn't 100 percent certain of the firmware layout on the Viasat gateways — or they wanted to keep AcidRain generic enough so they could reuse it against other equipment without much or any modification.

"If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem," Guerrero-Saade and van Amerongen wrote.

Next, AcidRain tried to destroy data on any present SD cards, flash memory, virtual block devices, and other resources. It either wrote up to 262,144 bytes to each device file to trash its data, or it used a system call for device-specific input/output operations to erase information.

Finally, the malware ran an fsync system call to ensure its changes were committed. AcidRain rebooted the device once it completed its data wiping processes, and "this results in the device being rendered inoperable," the researchers wrote.

This makes AcidRain the seventh publicly known wiper associated with the Russian invasion of Ukraine. Recent history aside, wiper malware is rare, and wipers aimed at routers, modems, or IoT devices is even more unusual, the SentinelOne team said.

VPNFilter connection?

There is a notable exception, however, and that's the 2018 VPNFilter malware developed by the Kremlin-linked Sandworm crew. Discovered by Cisco's Talos unit, this software nasty targeted routers and storage devices.

"The reason we bring up the specter of VPNFilter is not because of its superficial similarities to AcidRain but rather because of an interesting (but inconclusive) code overlap between a specific VPNFilter plugin and AcidRain," the SentinelOne pair wrote.

The tlsh fuzzy hashing matching library put the VPNFilter plugin and AcidRain sample similarity at 55 percent. Additionally, both VPNFilter and AcidRain are MIPS ELF binaries, and "the bulk of their shared code appears to stem from statically-linked libc," the security shop explained, adding that the malware may also share a compiler. Plus, they both use MEMGETINFO, MEMUNLOCK, and MEMERASE system calls to erase mtd device files. AcidRain clearly targets Linux-flavored devices powered by MIPS processors.

VPNFilter and AcidRain have "notable differences," the SentinelOne researchers wrote. AcidRain "appears to be a far sloppier product that doesn't consistently rise to the coding standards of the former," Guerrero-Saade and van Amerongen said, noting the newer binary's repetition and redundant use of process forking.

While AcidRain used brute force, which may allow it to be re-used successfully on multiple device models, VPNFilter took a more targeted approach to devices with hard-coded paths.

"While we cannot definitively tie AcidRain to VPNFilter (or the larger Sandworm threat cluster), we note a medium-confidence assessment of non-trivial developmental similarities between their components," the researchers concluded.

They also urged other security researchers to "continue to contribute their findings in the spirit of collaboration that has permeated the threat intelligence industry over the past month." ®