1 April 2022

Researchers discover modem wiper malware associated with the Russian invasion of Ukraine


Researchers discover modem wiper malware associated with the Russian invasion of Ukraine

Researchers at SentinelOne discovered a new piece of destructive wiper malware targeting modems and routers that may be connected to the February Viasat hack that affected thousands of the company’s customers in Ukraine and Europe.

Viasat released an incident report this week in which it said that the goal of the attackers was to interrupt service. The perpetrators exploited a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. They then used the network access to execute commands on a large number of residential modems that overwrote key data in flash memory on the modems, cutting off access to the network.

Now, SentinelOne researchers have shared a report detailing a new wiper malware they dubbed “AcidRain” that may have been used in the Viasat attack.

“We postulate an alternative hypothesis: The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing,” the researchers wrote.

The malware was discovered on March 15, when the researchers noticed a suspicious 32-bit MIPS ELF binary named ‘ukrop’ (which could be an abbreviation of “Ukraine Operation,”) uploaded to VirusTotal from Italy.

“AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable. The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,” according to the report.

During the analysis, the researchers noticed some code overlaps between AcidRain and another wiper malware, VPNFilter, targeting SOHO routers and QNAP storage devices. The VPNFilter malware attacks were attributed by the US security agencies to two Russia-linked state-sponsored hacker groups - APT28 and Sandworm.

“As we consider what’s possibly the most important cyber attack in the ongoing Russian invasion of Ukraine, there are many open questions. Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” the researchers said.

A Viasat spokesperson told tech news site BleepingComputer that “the analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report - specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.” The company said it will provide more information once the investigation is completed.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024