A satellite broadband outage that affected thousands of customers in Ukraine and across Europe was caused by malware linked to the Russian government.
The outage took place on 24 February 2022—the same day Russia launched its invasion of Ukraine, a conflict that resulted in tens of thousands of casualties, displaced roughly 6.5 million people within Ukraine, and created an estimated 4.1 million refugees.
Because of the timing, observers immediately suspected the outage was connected to the invasion.
Viasat stated in a blog post that the disruption was confined to “a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic.”
The satellite operator said it promptly took steps to stabilize and secure the network. Service was largely restored within hours and fully recovered over several days.
Viasat is cooperating with international agencies to investigate the incident, and reported it had identified “a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network.”
Attackers leveraged that access to issue legitimate, targeted management commands to a large number of residential modems at once. Those destructive commands overwritten critical data in the devices’ flash memory, leaving the modems unable to connect to the network.
Cybersecurity firm SentinelOne performed a deeper technical analysis of the incident.
SentinelOne said Viasat’s account was “a somewhat plausible but incomplete description of the attack,” and added that the incident caused spillover effects, rendering about 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.
The researchers discovered an ELF MIPS malware designed to wipe modems and routers, which they named AcidRain.
“We assess with medium confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government,” explained SentinelLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen.
Viasat later confirmed that SentinelOne’s findings aligned with its own investigation, noting that a “destructive executable” had been executed on the modems using a legitimate management command.
The spillover effect that disrupted wind turbine communications in Germany raised alarms because, had the attack affected more critical infrastructure, the consequences could have been far more severe. NATO has warned that a significant cyberattack on a member state could prompt a collective response from the alliance.
SentinelOne further noted that AcidRain represents the seventh identified wiper malware associated with Russia’s invasion of Ukraine.
Related: SpaceX has sent additional Starlink terminals to Ukraine, though experts caution that such systems could become targets.
Want to learn more about cybersecurity from industry leaders? Consider attending Cyber Security & Cloud Expo events, which gather experts and practitioners to discuss cloud, infrastructure, and security topics.
For information on other upcoming enterprise technology events and webinars, see TechForge’s listings for scheduled conferences and online sessions.