SentinelLabs – the threat intelligence and malware analysis division of SentinelOne – has released its research on the Viasat hack, and a new Russian wiper malware named AcidRain.
· On Thursday, 24th February 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.
· Spillover from this attack resulted in 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.
· Viasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.
· Based on Viasat’s preliminary incident report, SentinelLabs postulated an alternative hypothesis: The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers.
· SentinelLabs researchers discovered new malware that they named ‘AcidRain’. AcidRain is an ELF MIPS malware designed to wipe modems and routers, and the researchers assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. (In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government.)
· AcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.