Viasat Modems Knocked Offline By Malware With A Possible Connection To Russia

A few weeks ago, a malware based cyberattack took out thousands of Viasat satellite broadband modems just around the time Russia invaded Ukraine. Now it seems that the available evidence points towards Russia behind the attack as the available evidence says that were wiped by malware with possible links to Russia’s destructive VPNFilter. Let’s unpack this shall we.

First Viasat says that the modems were knocked offline  because a poorly configured VPN appliance was used by the attacker to access the trusted management section of the KA-SAT satellite network. That’s a #Fail. But what’s interesting is that Viasat said that any modems not bricked by the attack received firmware updates that should mitigate future attacks. That’s good and I will get back to why that’s a good thing in a moment. But let me now move to the Russian connection.

This report from SentinelOne details what happened next. Though by SentinelOne’s own admission the report is incomplete, it does have some valuable details:

The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.

Interesting. But here’s how it’s connected to Russia:

Despite what the Ukraine invasion has taught us, wiper malware is relatively rare. More so wiper malware aimed at routers, modems, or IoT devices. The most notable case is VPNFilter, a modular malware aimed at SOHO routers and QNAP storage devices, discovered by Talos. This was followed by an FBI indictment attributing the operation to Russia (APT28, in particular). More recently, the NSA and CISA attributed VPNFilter to Sandworm (a different threat actor attributed to the same organization, the Russian GRU) as the U.K.’s National Cyber Security Centre (NCSC) described VPNFilter’s successor, Cyclops Blink.

VPNFilter included an impressive array of functionality in the form of multi-stage plugins selectively deployed to the infected devices. The functionality ranges from credential theft to monitoring Modbus SCADA protocols. Among its many plugins, it also included functionality to wipe and brick devices as well as DDoS a target.

The reason we bring up the specter of VPNFilter is not because of its superficial similarities to AcidRain but rather because of an interesting (but inconclusive) code overlap between a specific VPNFilter plugin and AcidRain.

VPNFilter is something that I’ve written about a few times over the last few months. This implies that Russia is behind this attack. Which according to this Reuters story are still active and still attacking these modems. Which makes any sort of mitigation a good thing.

And remember, other countries and other ISPs may be next. So let’s hope that they up their game and make sure that they’re not the next victim of this or any other malware based attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: