Viasat が 2月に発生した KA-SAT ネットワークへの攻撃について報告。また SentinelOne は攻撃に利用された破壊型マルウェア AcidRain について報告。
Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.
On Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.
Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.
Viasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.
SentinelLabs researchers discovered new malware that we named ‘AcidRain’.
AcidRain is an ELF MIPS malware designed to wipe modems and routers.
We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government
AcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.
Update: In a statement disseminated to
journalists, Viasat confirmed the use of the AcidRain wiper in the February 24th attack against their modems.