A newly discovered form of data wiper malware has been linked to an attack that caused widespread outages on the Viasat satellite internet service last month.

The Viasat KA-SAT network was partially disrupted on Feb. 24, days after Russia invaded Ukraine. The attack affected several thousand customers in Ukraine and tens of thousands of customers across Europe. The attack also caused an outage of 5,800 wind turbines in Germany because of their reliance on remote monitoring using Viasat.

Russian hackers were always suspected of being behind the attack, but more details have come to light. Security researchers at SentinelOne Inc. today detailed new malware they have dubbed “AcidRain,” describing it as a modem wiper that rained down on Europe. AcidRaid is so-called executable and linkable format malware designed to wipe modems and routers.

AcidRain has developmental similarities to a VPNFilter stage 3 destructive plugin. VPNFilter was a form of malware used in attacks in 2018 and has been linked by the U.S. Federal Bureau of Investigation and the Department of Justice to the Russian government.

Officially Viasat denies that malware is involved. In a blog post yesterday, the company said it had found “no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference” in the attack. It further claimed that the disruption was caused by an attack using internal network access “to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”

Viasat claims that the attacker’s destructive command overwrote data in flash memory in the modems, rendering the modems unable to access the network but not permanently unusable.

The SentinelOne researchers disagree and say the threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. The AcidRain wiper, in this case, overwrites key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.

“Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” the researchers concluded.

Chris Hallenbeck, chief information security officer for the Americas at cybersecurity and systems management company Tanium Inc., told SiliconANGLE that the risk is that an attack such as this can spread further than its original target.

“Avoiding the fallout of an errant cyberattack that adversely affects other nations is an important consideration for the Kremlin,” Hallenbeck said. “The Russian military regime is unlikely to risk an overt confrontation with NATO and an uncontained cyberattack that accidentally impacts a member has the potential to change the entire dynamic of the war in an instant.”

The use of destructive malware can prove difficult to contain and go far beyond its intended purpose, Hallenbeck added. “The now infamous Stuxnet attack, for example, was discovered because the malware exceeded its intended targets, but it was designed well enough to prevent its disruptive capabilities from running rampant.”

But he noted that as the conflict with Ukraine evolves, the risk/reward calculation by Russia could shift toward less concern for potential consequences. “Fortunately, we don’t seem to be there yet, but there should be a keen sense of awareness that Russia has a mature and capable computer network operations program that makes this a credible threat,” he said.

Image: Viasat