Russia’s AcidRain Malware Destroys Satellite Receivers across Europe

Russia began its war on Ukraine with a series of wiper malware attacks. Wiper attacks simply want to make a device inoperable by destroying its boot sector. It’s basically an offensive cyber weapon. As of this writing, there have been seven separate wiper malware variants identified. Among these was one which targeted Viasat modems.

The initial Viasat modem attack was timed to coincide with the physical invasion of Ukraine. Many predicted such a scenario as it mimicked other attacks by Russia in Georgia and Crimea. This attack vector, however, was so unique that it initially evaded attention. In fact, it wasn’t until days later when 5.800 wind turbines in Germany became inoperable that it became clear that something unusual was going on. Eventually, Viasat admitted that it was investigating a cyber attack which disrupted “30,000 satellite terminals used by companies and organisations from various sectors across Europe.” Let me make it clear that the satellite itself was not hacked; the terminals integrated with them were. The specific terminals operating the wind turbines were rendered unable to communicate with them and control them, but, the turbines themselves continued to run in auto mode. In fact, these terminals appear to be collateral damage from the main attack on Ukraine.

It was at first believed that this was the result of some massive DDoS attack. But then, the Commander of the French Joint Space Command, Commander General Michel Friedling, announced that “the terminals have been damaged, made inoperable and probably cannot be repaired”.

If true, this indicated damage to the main boot sector of the terminals, in other words, it indicated a wiper malware attack. SentinelLabs first posited this attack vector, naming the wiper malware, AcidRain.

Viasat eventually issued a report on the incident and claimed that “subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.” VPNs are often exploited by hackers because they have access to various networks. In this case, the intrusion disabled the ability to communicate remotely with SCADA controls. The malware exploited inter-network connections to locate and target other modems in Ukraine, but others, outside of Ukraine and throughout Europe, were also caught up in the attack.

Viasat does not make it clear how these modems could have been made inoperable, but it does raise important questions. First of all, how vulnerable is Viasat to hacking? In researching this post, I ran across an interesting anecdote. It concerned how members of their IT team did some pentesting to find vulnerabilities in the company network. Here is that story from the company’s own blog.

“One of the most successful Red Team exploits involved first registering a domain name similar to the client’s company, then sending an invitation that appeared to come from the company’s health group. 

It notified employees they would receive a free Fitbit for registering for a contest.

“They all did it,” Heyen said. “We even had CFOs registering for this fake contest. It was one of the most successful things we’ve done.”

“When they logged in, we had their passwords. We had spreadsheets with credit-card and CVE numbers. They were terrified how easy it was for us to do it.

The team had similar success using fake Subway sandwich coupons.”

Other access points into the company network were also found. All of these network endpoints could be exploited to do serious damage, which is why high quality endpoint protection is so important. To say the very least, this doesn’t look good and could give a signal to any malicious entity that Viasat is easy to hack.

One key question is: What else could an attacker do if they gained control of a satellite terminal? Simply wiping out the terminal seems like the most basic of attacks. This point was expanded on in an interesting and informative post on the Reversemode website. First of all, it’s necessary to show how satellite networks are put together. In this simple diagram, NOC stands for Network Operating Center.

And these are the possible exploits that could be launched.

The researcher for this report, after studying the firmware for the modem, concluded that, “I’m now even more convinced that there are multiple ways to permanently damage a KA-SAT SATCOM terminal.”

This is scary stuff. Certainly, if the Russian hackers had wanted to, they could have done far more. It seems that, at the time they deployed the attack, their main goal was only to cause confusion. Had they wanted to, they could have directly interfered with military operations. The only reason they may not have done so was that, at the time, they believed they simply didn’t have to. They believed their objectives would be attained in a few days. Now, things have changed.

And what if this was not an accidental attack on wind turbines in Germany? Knowing that, with the shutdown of the Nord Stream 2 pipeline, Germany, and Europe, for that matter, would become more dependent on renewable energy resources, why not take down this alternate form of energy production to ramp up pressure on Germany? In fact, this idea may not be all that farfetched. German wind turbine manufacturer, Nordex, suffered a serious cyberattack on March 31st, which forced them to shutdown their IT network.

This all indicates that more serious attacks may be in the offing. Although many of these Russian-based attacks may target Ukraine, they may also target those siding with Ukraine in the current war. However, due to security reasons, we may never hear of many of these attacks. This often leads to the false assumption that there is no cyberwar going on. This simply is not the case. This false assumption was highlighted in a recent post on the Foreign Affairs website entitled, The Myth of the Missing Cyberwar. In this article, the writers call such views as “a dangerous misdiagnosis”. The cyberwar is, in fact, going on and it will quite likely lead to a world cyberwar, if it hasn’t already.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s