Viasat, the high-speed satellite broadband provider whose modems went offline in Ukraine and other parts of Europe in early March, confirmed a theory by outside researchers that new cleaning malware with possible ties to the Russian government was responsible for attack her.
In a report published Thursday, SentinelOne researchers said they discovered the new modem wiper and named it AcidRain. The researchers said that AcidRain shared multiple technical similarities with parts of VPNFilter, a piece of malware that infected more than 500,000 home and small office modems in the US. Multiple US government agencies, first the FBI and later organizations, including the National Security Agency, attributed the modem malware to Russian state threat actors.
SentinelOne researchers Juan Andres Guerrero-Saade and Max van Amerongen posited that AcidRain was used in a cyberattack that sabotaged thousands of modems used by Viasat customers. Among the clues they found was the name “ukrop” for one of AcidRain’s source binaries.
While SentinelOne said it couldn’t be sure his theory was correct, Viasat representatives were quick to say the theory was. Viasat also said the finding was consistent with a brief description the company published on Wednesday.
The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report; specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as previously described by Viasat. As stated in our report: “The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate management commands and on a large number of residential modems simultaneously.”
AcidRain is the seventh separate piece of cleanup malware associated with Russia’s ongoing invasion of Ukraine. Guerrero-Saade and van Amerongen said AcidRain is an executable file for MIPS, the hardware architecture for modems used by Viasat customers. The malware was uploaded to VirusTotal from Italy and was called “ukrop”.
“Despite what the invasion of Ukraine has taught us, cleaning malware is relatively rare,” the researchers wrote. “Furthermore, it cleans malware targeting routers, modems, or IoT devices.”
The researchers soon found “non-trivial” but ultimately “inconclusive” developmental similarities between AcidRain and a “dstr”, the name of a cleanup module for VPNFilter. The similarities included a 55 percent code similarity as measured by a tool known as TLSH, identical section header string tables, and the “storing of the previous system call number in a global location before a new system call” .
“At this time, we cannot judge whether this is a shared compiler optimization or a weird developer quirk,” the researchers said.
A mystery solved, there are more
Viasat’s statement indicates that the speculation was correct.
Viasat’s overview on Wednesday said the hackers behind the destructive attack gained unauthorized access to a trusted management segment of the company’s KA-SAT network by exploiting a misconfigured VPN. The hackers then expanded their reach to other segments that allowed them to “execute specific and legitimate management commands on a large number of residential modems simultaneously.” the network, but not permanently unusable.
It is not yet clear how the threat actors gained access to the VPN.
Also on Thursday, independent security researcher Rubén Santamarta published an analysis that discovered several vulnerabilities present in part of the firmware running on the SATCOM terminals affected by the attack. One was a failure to cryptographically validate the new firmware before installing it. Another is “multiple command injection vulnerabilities that can be trivially exploited from a malicious ACS.”
ACS seems to refer to a mechanism known as auto-configuration servers which are found in a protocol used by modems.
“I’m not saying these issues have actually been abused by attackers, but it certainly doesn’t look good,” Santamarta wrote. “Hopefully these vulnerabilities will no longer be present in the latest Viasat firmware, otherwise it would be a problem.”
Clearly, there is still a lot of mystery surrounding the deactivation of Viasat modems. But the confirmation that AcidRain was responsible for the payload is an important development.
“I’m glad Viasat agrees with our findings on AcidRain,” Guerrero-Saade wrote in a private message. “I hope they can share more of their findings. There is much more to discover in this case.”