Sentinel One recently published research on AcidRain, a wiper malware used in an attack on Viasat KA-SAT in Ukraine.
What is AcidRain Wiper?
In February, the German Enercon wind farm experienced an issue with their satellite communications, making remote control and monitoring of 5800 wind turbines unavailable. While Enercon did not yet know the reason for the outage, they speculated it had something to do with the Russia-Ukraine conflict. The outage was linked to the attack on Viasat KA-SAT.
In late March, Viasat released a statement describing a two-phase attack targeting its KA-SAT communications. The first phase was a denial of service attack coming from SurfBeam2 and SurfBeam2+ and other equipment physically located in Ukraine, temporarily knocking KA-SAT modems offline. The second phase was the gradual disappearance of the modems from the Viasat service. According to Viasat, the threat actors responsible for the attack exploited a misconfigured VPN appliance to gain access to the network and used their access to target multiple residential modems. Commands sent by the threat actors overwrote key data in the modem’s flash memory, leaving them unable to access the network. The devices would require a factory reset to become usable again. Viasat did not release IOCs or other definitive information about the malware used in the attack.
Sentinel One used the information provided by Viasat to determine the threat actors likely used the KA-SAT management mechanism in a supply-chain attack to push wiper malware to modems and routers, overwriting key data in the modem’s flash memory to knock it offline.
In mid-March, Sentinel One noted a MIPS ELF binary with the name ukrop. Based on their analysis, they determine the ukrop binary, dubbed AcidRain wiper, fits the criteria for the malware used in the Viasat KA-SAT attack. The binary performs a wipe of the targeted filesystem and known storage device files. Twitter user @reversemode posted a dump of the flash of one of the affected Surfbeam2 modems. Sentinel One determined the code used in AcidRain was capable of producing the same result.
According to Sentinel One, wiper malware targeting routers, modems, and IoT devices is relatively rare. Previously discovered wiper malware targeting modems and routers, namely VPNFilter and Cyclops Blink, were attributed to Russian state-sponsored threat actor groups APT28 (Fancy Bear) and Sandworm (VooDoo Bear). Sentinel One noted some developmental similarities between AcidRain and VPNFilter but did not attribute AcidRain to a particular threat actor group.
PolySwarm has samples associated with AcidRain wiper.
You can use the following CLI command to search for all AcidRain samples in our portal:
$ polyswarm link list -f AcidRain