The malware used Feb. 24 to hobble thousands of modems as an effort to disrupt Ukrainian communications networks might be a wiper delivered via a supply-chain attack, according to threat intelligence researchers with SentinelOne.
The findings Thursday — based on an analysis of malware dubbed “AcidRain” the researchers think could have been involved in the Viasat hack — at least partially contradict the statement issued Wednesday by Viasat, the California-based company whose modems were targeted as part of the Feb. 24 incident.
Viasat told CyberScoop on Thursday that while it’s limited in what details it can share, it doesn’t believe the Feb. 24 incident was a supply-chain attack, and stands by its earlier statement.
Viasat’s statement claimed that a misconfigured virtual private network (VPN) associated with a third-party contractor allowed attackers to access a key block of modems and issue “destructive” yet “legitimate, targeted management commands” that rendered the devices “unable to access the network, but not permanently unsuable.”
The conclusions the Viasat statement implied are “difficult to reconcile,” wrote SentinelOne researchers Juan Andrés Guerrero-Saade and Max van Amerongen, adding that “it remains unclear how legitimate commands could have such a disruptive effect on the modems.”
The “scalable disruption” that occurred in the Viasat modem hack is “more plausibly achieved by pushing an update, script, or executable,” the researchers said.
With that in mind, their “alternative hypothesis” is that the hackers pulled off a “supply-chain attack to push a wiper designed for modems and routers.” The analysis also showed potential similarities between AcidRain and VPNFilter, botnet malware previously tied to Russian nation-state hackers.
The researches found the malicious code after it was uploaded March 15 to VirusTotal, a repository of malware samples for analysis, with the name “ukrop.” The behavior of the malware matched other public analysis purporting to be from two of the effected modems, SentinelOne said.
‘Worthy of careful analysis’
“The Viasat modem hack is perhaps the most impactful attack of the Russian invasion of Ukraine so far,” Guerrero-Saade told CyberScoop Thursday. “It’s spillover effects on Germany alone are a troubling byproduct of carelessly executed cyber operations. AcidRain is an example of a troubling nation-state capability, worthy of careful analysis, and one that should give us pause.”
Viasat specifically noted in it its statement Wednesday that it had “no evidence of any supply-chain interference,” and that there’s “no evidence that standard modem software or firmware disruption or update processes involved in normal network operations were used or compromised in the attack.”
In response to questions about SentinelOne’s analysis on Thursday, a Viasat spokesperson said that SentinelOne’s report “regarding the ukrop binary is consistent with the facts in our report.” Viasat doesn’t “view this as a supply chain attack or vulnerability,” the statement added, reiterating the previous statement which said the company had no evidence of a supply-chain attack.
“Due to the ongoing investigation and to ensure the security of our systems from ongoing attack, we cannot publicly share all forensic details of the event,” the statement read. “Through this process, we have been, and continue to cooperate with various law enforcement and government agencies around the world, who’ve had access to details of the event.”
The company said it expects to “provide additional forensic details” when the investigation is complete.
A spokesperson for Mandiant, the cybersecurity firm working with Viasat to investigate the attack, declined to comment.
SentinelOne’s analysis, if accurate, would make AcidRain the seventh incident of wiper malware used since the beginning of 2022 in connection with Russia’s preparation for invading Ukraine and the subsequent military attack. The wiper attacks have been the among the more serious cyber-incidents so far in a war where digital operations have played a supporting role to traditional kinetic military actions.
If AcidRain was involved in the Viasat hack, “then the attack is significantly more creative and aggressive in execution,” said Thomas Rid, the founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, “because it would involve a form of supply-chain-compromise and custom malware in the form of a modem wiper.”
The hardware and the spillover
The company reported that early in the morning of Feb. 24 parts of its infrastructure in Europe were targeted with “high volumes of focused, malicious traffic” making it difficult for “many” modems to stay online. At roughly the same time, Viasat noticed “a gradual decline” in the number of modems online. “Ultimately, tens of thousands of modems” dropped off the network in a situation that “impacted a majority of the previously active modems within Ukraine, and a substantial number of additional modems in other parts of Europe.”
The disruption of the modems had spillover effects such as disrupting the ability for an energy provider in Germany to communicate with 5,800 wind turbines in central Europe. A senior Ukrainian cybersecurity official told reporters March 15 that the attack caused a “huge loss in communications in the very beginning of the war,” and said he didn’t need a lot of investigation to assume that it was a Russian operation.
The U.S. government has yet to formally attribute the hackers behind the attack, but anonymous “U.S. officials” told the Washington Post it was the work of the Russian military.
Thursday’s analysis from SentinelOne adds what might be additional corroborating evidence supporting a Russian link. The researchers note that AcidRain has “interesting (but inconclusive) code overlap” with botnet malware known as “VPNFilter,” which the U.S. Department of Justice alleged in 2018 was a Russian effort used to infect routers.
The SentinelOne researchers note that VPNFilter had an array of capabilities that included everything from credential theft to the ability to wipe and brick devices or flood a target with phony traffic to render it unusable in a denial-of-service disruption, such as the one described by Viasat.
Beyond the similarities in function, the researchers note some code overlap between AcidRain and VPNFilter, although AcidRain “appears to be a far sloppier product that doesn’t consistently rise to the coding standards” of VPNFilter.