Viasat cyberattack linked to Russian state-sponsored hackers
The attack on a US satellite broadband services provider that affected thousands of wind turbines in Germany is now linked to Russian government-sponsored hackers.
Following an attack on Viasat’s KA-SAT network, wiper malware inside customers' routers was executed. By overwriting essential data in modems' internal memory, malware rendered tens of thousands of modems across Europe useless. The incident took place on 24th February – the exact date when Russia invaded Ukraine.
"While most users were unaffected by the incident, the cyberattack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe,” Viasat said in a statement.
The incident impacted modem service in Italy and France, as well as disconnected remote access to approximately 5,800 wind turbines in Germany, operated by Enercon, which used the company’s routers for remote control.
A month later, SentinelLabs researchers discovered new malware, ‘AcidRain,’ which is an ELF MIPS malware designed to wipe modems and routers, now linked to the attack on the provider.
"The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing," the researchers said.
Although the link between Russia and new malware is inconclusive, the researchers believe that there are similarities between the components of AcideRain and VPNFilter – a modular malware attributed to the Russian GRU. This would make AcidRain the 7th wiper malware associated with the Russian invasion of Ukraine.
"We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government," Guerrero-Saade and Van Amerongen wrote.
More from Cybernews:
Subscribe to our newsletter