Acid Rain – the new malware that rained down on Europe

Last February on 24th it was reported a new cyber-attack happened on a satellite communications company named Viasat, which attacked their infrastructure in Ukraine. The company, in their new security report, confirmed that the attack involved the use of a new malware named “Acid Rain”.

SentinelOne, a cybersecurity company in one of their latest reports, analyses that the attack that left Viasat modems in operable in Ukraine, also had effects in other places across Europe as well. The attack caused the malfunctions of 5800 Enercon wind turbines in Germany, where the remote control of the wind turbines became unavailable due to the issues with the satellite connections. Also, people using satellite internet connections were knocked offline all across Europe, from Poland to France.

The cybersecurity company attributed this attack to Acid Rain, a wiper designed for modems and routers. A wiper can overwrite key data in a modem’s flash memory, rendering it inoperable and in need of replacing, Sentinel One explained.

“Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack,” stated the company, adding that “there is no evidence that any end-user data was accessed or compromised.”

In a lengthy statement from Viasat regarding the incident it was mentioned that there was a “ground-based network intrusion” by an attacker exploiting a misconfiguration in a VPN appliance that allowed them to gain remote access to the trusted management segment of the network.

“The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously,” the report said.

The malicious commands overwrote key data in flash memory on the modems, by making the modems unable to access the network, Viasat said. They also added that there was “no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.”

SentinelOne also mentioned that AcidRain is the 7th known wiper malware that might be associated with the Russian invasion of Ukraine. WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero are all versions of wiper malware seen used against Ukrainian governmental organizations since February.

Even though it is not clear yet who is behind this attack, the investigation from the US National Security organization is still ongoing. Anne Neuberger, the US Deputy National Security Advisor said in a press conference:

We have not yet attributed that attack, but we’re carefully looking at it because… of the impact not only in Ukraine but also in satellite communication systems in Europe as well.”

Since they haven’t yet published the forensics results of the attack, the investigation will continue with the help of other cyber security and law enforcement, hired to work on the case.

Kristi Shehu is a Cyber Security Engineer (Application Security) and Cyber Journalist based in Albania. She lives and breathes technology, specializing in crafting content on cyber news and the latest security trends, all through the eyes of a cyber professional. Kristi is passionate about sharing her thoughts and opinions on the exciting world of cyber security, from breakthrough emerging technologies to dynamic startups across the globe.