SentinelLabs security experts captured a piece of wiper malware targeting routers and modems. They discovered digital breadcrumbs pointing to a link to the deadly Viasat intrusion that knocked out wind turbines in Germany. According to malware researchers Juan Andres Guerrero-Saade and Max van Amerongen, the latest wiper, dubbed AcidRain, is believed to be part of a more significant supply chain attack targeted at destroying Viasat’s satellite internet service.
Viasat stated in an official statement that a dual-pronged cyberattack on its KA-SAT network resulted in malicious software commands overwriting crucial data in modem internal memory, making tens of thousands of modems useless across Europe. According to published sources, the Viasat strike, which occurred immediately after Russia launched its invasion of Ukraine, disrupted modem service in France and Italy and even halted wind turbines in Germany.
SentinelLab’s threat hunters are now sharing notes on the new wiper’s discovery, as well as code overlaps and other evidence connecting the malware to the satellite network takedown. The researchers called Viacom’s public response “incomplete,” and stated their own technical study revealed parallels to the current VPNFilter malware attacks linked to a known Russian government APT group, as reported by the FBI.
“We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government,” said the researchers.
Noting that AcidRain is the 7th wiper virus related to Russia’s invasion of Ukraine, the SentinelLabs team stated the suspicious file was posted to the VirusTotal multi-scanner service from Italy under the name ‘ukrop’ and was meant to be harmful.
AcidRain’s functionality is pretty simple and requires a bruteforce attempt, which could indicate that the attackers were either unaware of the specifics of the target firmware or sought the tool to remain generic and reusable. The malware wipes the filesystem and various known storage device files completely. AcidRain executes an initial recursive overwrite and removes non-standard files in the filesystem if the code is run as root.