This dangerous malware is responsible for the attack against Viasat satellite communication systems

This week security researchers at SentinelLabs reported detecting a sample of wiper malware impacting routers and other Internet of Things (IoT) devices. After analyzing the traces left in this campaign, experts concluded that this operation could be linked to the cyberattack against Viasat, a provider of satellite telecommunications services.

Researchers Juan Andres Guerrero-Saade and Max van Amerongen, in charge of the report, believe that this wiper malware identified as AcidRain, is part of a larger attack and that it aims to deploy severe interruptions in satellite Internet services in Europe.

A few weeks ago, Viasat confirmed that a cyberattack targeting its KA-SAT network would have impacted tens of thousands of modems across Europe, with threat actors overwriting the information in memory. This attack came just as Russia began the military invasion of Ukraine, so speculation immediately began about the possible relationship between the two incidents.

The researchers shared some of their findings on the possible links between the Viasat attack and the emergence of this wiper: “We believe that the threat actor used the KA-SAT management mechanism in a supply chain attack for the deployment of the wiper, compromising thousands of modems and routers.” Experts also believe that the wiper is capable of deleting all the data in the memory of the affected devices, rendering them completely useless.

The SentinelLabs report also mentions the multiple similarities between this campaign and the VPNFilter malware attacks, allegedly deployed by a hacking group sponsored by the Russian government: “We have determined that there are developmental similarities between AcidRain and a destructive VPNFilter plugin, attributed to the Kremlin.”

AcidRain is the seventh wiper malware associated with the Russian invasion of Ukraine. This malware variant was loaded into the VirusTotal scanning service, using the name ‘ukrop’: “AcidRain’s functionalities are simple and require a brute force attempt, which could indicate that threat actors were unfamiliar with the details of the affected firmware or simply wished the tool to be generic and reusable,”  adds the report.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.