The cyberattack that targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus that wipes routers and modems, affecting thousands in Ukraine and tens of thousands more across Europe. Researchers at SentinelOne have dubbed the virus AcidRain, because it is designed to brute-force device file names and delete any file it can discover, making it easy to repurpose in future attacks.
According to SentinelOne, this could indicate the attackers’ lack of familiarity with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.
AcidRain was discovered on March 15 after being uploaded as a 32-bit MIPS ELF binary with the filename “ukrop” to the VirusTotal malware analysis platform from an IP address in Italy.
Once installed, it scans the whole filesystem of the infected router or modem. It wipes flash memory, SD/MMC cards, and any virtual block devices it can discover, utilizing all device identifiers available.
“The program wipes the filesystem and various known storage device files completely. AcidRain executes an initial recursive overwrite and delete of non-standard files in the filesystem if the malware is launched as root “Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne threat experts, revealed.
The wiper overwrites file contents with up to 0x40000 bytes of data or calls the MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) system functions to erase data on infected devices.
AcidRain wipes the device’s data and then reboots it, making it inoperable
In Ukraine, it’s been used to erase satellite modems
SentinelOne believes the AcidRain malware was designed specifically for an operation against Ukraine and was likely used to delete modems in the KA-SAT hack, based on the name of the file uploaded to VirusTotal, which might be an acronym for “Ukraine Operation.”
“In a supply-chain assault, the threat actor leveraged the KA-SAT management mechanism to push a wiper built for modems and routers,” SentinelOne speculated.
“A wiper for this type of device would delete important data in the modem’s flash memory, leaving it useless and necessitating reflashing or replacement.”
This is in direct contradiction to a Viasat incident report on the KA-SAT event, which stated that “no evidence of any compromise or manipulation with Viasat modem software or firmware images, and no indication of any supply-chain interference” was discovered.
SentinelOne’s theory was validated by Viasat, which said the data-destroying malware was installed on modems via “legal management” instructions.
“The SentinelLabs analysis of the ukrop binary is consistent with the facts in our report,” a Viasat representative told BleepingComputer. “Specifically, SentinelLabs detects the damaging executable that was launched on the modems using a valid management command as Viasat previously indicated.”
“When this inquiry is finished, we expect to be able to share further forensic details.”
Security researcher Ruben Santamarta validated the usage of AcidRain to erase modems when he emptied the flash memory of a SATCOM modem that had been compromised in the KA-SAT attack.
As SentinelOne points out, Santamarta’s destructive pattern mirrors the output of AcidRain’s overwriting wiper approach.
The fact that Viasat has supplied almost 30,000 modems to get clients back online since the February 2022 assault, and is still shipping more to speed up service restoration, suggests that SentinelOne’s supply-chain attack scenario is correct.
The IOCTLs used by this virus also resemble those used by the VPNFilter malware ‘dstr’ wiper plugin, a destructive program linked to Russian GRU hackers (Fancy Bear or Sandworm).
This is the year’s seventh data wiper employed against Ukraine.
AcidRain is the seventh data wiper virus to be used in assaults against Ukraine since the beginning of the year, with six others targeting the nation.
The Ukrainian Computer Emergency Response Team recently stated that a data wiper known as DoubleZero has been used in assaults on Ukrainian businesses.
ESET discovered a data-wiping virus called HermeticWiper, which was employed against enterprises in Ukraine together with ransomware decoys, one day before the Russian invasion of Ukraine began.
On the same day that Russia invaded Ukraine, they found IsaacWiper, a data wiper, and HermeticWizard, a new worm that dropped HermeticWiper payloads.
ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and deletes user data and partition information from associated drivers.
Ukraine’s State Service for Communications and Information Protection (CIP) discovered a fifth wiper virus called as WhisperKill, which reused 80% of the code from the Encrpt3d Ransomware (also known as WhiteBlackCrypt Ransomware).
Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, that was being used in data-wiping operations against Ukraine while masquerading as ransomware.
After the news was published, a spokeswoman for Viasat issued the following statement:
Yesterday’s Viasat Incident Report contained factual information. SentinelLabs’ examination of the ukrop malware is consistent with the facts in our report; in particular, SentinelLabs detects the damaging executable that was executed on the modems using a valid management command, as Viasat previously disclosed.
“The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network,” according to our report, “and then used this network access to execute legitimate, targeted management commands on a large number of residential modems at the same time.”
We also don’t consider this a supply chain assault or vulnerability. “Viasat has no indication that ordinary modem software, firmware distribution, or update methods utilized in routine network operations were employed or compromised in the attack,” we said. “There is no evidence that any end-user data was accessed or compromised,” the company adds.
We are unable to publicly release full forensic details of the occurrence due to the current investigation and to protect our systems from further assault. We have been cooperating with numerous law enforcement and government authorities throughout the world that have had access to information of the incident throughout this process, and we will continue to do so.
When the investigation is finished, we anticipate to be able to share further forensic information.
