Attack on Viasat Modems May Be Rooted in Wipeout Malware Deployed Through Supply Chain
Written by AJ Vicens
The malware used on February 24 to hamper thousands of modems in an effort to disrupt Ukrainian communication networks could be a windshield wiper delivered via a supply chain attack, according to SentinelOne threat intelligence researchers.
Discoveries Thursday – based on an analysis of malware dubbed “AcidRain” which researchers believe may have been involved in the Viasat hack – at least partially contradicts the statement released Wednesday by Viasat, the California-based company whose modems were targeted in connection with the February 24 incident.
Viasat told CyberScoop Thursday that, while limited in the details it can share, it does not believe the Feb. 24 incident was a supply chain attack and stands by its previous statement.
Viasat’s statement claimed that a misconfigured virtual private network (VPN) associated with a third-party contractor allowed attackers to access a key block of modems and issue “destructive” “targeted management commands” but “legitimate” which made the devices “unable to access the network, but not permanently unusable.
The conclusions implied by Viasat’s statement are “difficult to reconcile,” wrote SentinelOne researchers Juan Andrés Guerrero-Saade and Max van Amerongen, adding that “it remains unclear how legitimate commands could have such a disruptive effect. on modems”.
The “evolutionary disruption” that occurred when the Viasat modem was hacked is “more plausibly achieved by pushing an update, script, or executable,” the researchers said.
With that in mind, their “alternative hypothesis” is that the hackers pulled off a “supply chain attack to push a wiper designed for modems and routers.” The analysis also showed potential similarities between AcidRain and VPNFilter, a botnet malware previously linked to Russian hackers.
Searches found the malicious code after it was uploaded on March 15 to VirusTotal, a repository of malware samples for analysis, with the name “ukrop”. The malware’s behavior matched other public scans claiming to be from two of the affected modems, SentinelOne said.
“Worthy of in-depth analysis”
“The Viasat modem hack is perhaps the most impactful attack in the Russian invasion of Ukraine to date,” Guerrero-Saade told CyberScoop on Thursday. “Its ripple effects on Germany alone are a disturbing byproduct of negligently executed cyber operations. AcidRain is an example of a troubling nation-state capability, worthy of careful analysis, and one that should give us pause.
Viasat specifically noted in its statement Wednesday that it had “no evidence of supply chain interference” and that there is “no evidence that standard modem software or firmware disruption or update processes involved in normal network operations were used or compromised in the attack.”
In response to questions about SentinelOne’s analysis on Thursday, a Viasat spokesperson said SentinelOne’s report “regarding the ukrop binary is consistent with the facts of our report.” Viasat does not “consider this a supply chain attack or vulnerability,” the statement added, reiterating the previous statement that the company had no evidence of a supply chain attack.
“Due to the ongoing investigation and to keep our systems safe from ongoing attacks, we cannot publicly share full forensic details of the event,” the statement said. “Throughout this process, we have cooperated and continue to cooperate with various law enforcement agencies and government agencies around the world, who have had access to details of the event.
The company said it plans to “provide additional forensic details” once the investigation is complete.
A spokesperson for Mandiant, the cybersecurity firm working with Viasat to investigate the attack, declined to comment.
SentinelOne’s analysis, if accurate, would make AcidRain the seventh incident of wiper malware used since the start of 2022 as part of Russia’s preparation for the invasion of Ukraine and of the military attack that followed. The wiper attacks have been among the most serious cyber incidents so far in a war where digital operations have played a supporting role to traditional kinetic military actions.
If AcidRain was involved in the Viasat hack, “then the attack is much more creative and aggressive in its execution,” said Thomas Rid, founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. , “because it would involve some form of supply chain compromise and custom malware in the form of a modem eraser.
The material and the overflow
The company reported that early in the morning of February 24, parts of its infrastructure in Europe were being targeted by “high volumes of targeted and malicious traffic”, making it difficult for “many” modems to stay online. Around the same time, Viasat noticed “a gradual decline” in the number of modems online. “Ultimately, tens of thousands of modems” dropped off the network in a situation that “impacted the majority of previously active modems in Ukraine, and a substantial number of additional modems in other parts of Europe”.
Disruption of modems had fallout like to disturb the possibility for an energy supplier in Germany to communicate with 5,800 wind turbines in central Europe. A senior Ukrainian cybersecurity official told reporters on March 15 that the attack had caused “a huge loss of communications at the very beginning of the war”, and said he did not need much investigation. to assume that it was a Russian operation.
The US government has yet to officially attribute the hackers behind the attack, but unnamed “US officials” told the Washington Post it was the work of the Russian army.
Thursday’s SentinelOne analysis adds what may be additional corroborating evidence supporting a Russian link. The researchers note that AcidRain has “interesting (but not conclusive) code overlap” with botnet malware known as “VPNFilter”, which the The alleged US Department of Justice in 2018 was a Russian effort used to infect routers.
SentinelOne researchers note that VPNFilter had an array of features ranging from credential theft to the ability to wipe and brick devices or flood a target with bogus traffic to render it unusable in the event of an attack. denial of service, such as the one described. by Viasat.
Beyond the similarities in function, the researchers note some code overlap between AcidRain and VPNFilter, although AcidRain “appears to be a much sloppier product that doesn’t consistently follow VPNFilter’s coding standards.”