The US and European Union on Tuesday said Russia was responsible for a cyberattack in February that crippled a satellite network in Ukraine and neighboring countries, disrupting communications and a wind farm used to generate electricity.
The February 24 attack unleashed wiper malware that destroyed thousands of satellite modems used by customers of communications company Viasat. A month later, security firm SentinelOne said an analysis of the wiper malware used in the attack shared multiple technical similarities to VPNFilter, a piece of malware discovered on more than 500,000 home and small office modems in 2018. Multiple US government agencies attributed VPNFilter to Russian state threat actors.
Tens of thousands of modems taken out by AcidRain
“Today, in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries,” US Secretary of State Antony Blinken wrote in a statement. “The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens.”
AcidRain, the name of the wiper analyzed by SentinelOne, is a previously unknown piece of malware. Consisting of an executable file for the MIPS hardware in Viasat modems, AcidRain is the seventh distinct piece of wiper malware associated with Russia’s ongoing invasion of Ukraine. Wipers destroy data on hard drives in a way that can’t be reversed. In most cases, they render devices or entire networks completely unusable.
SentinelOne researchers said they found “non-trivial” but ultimately “inconclusive” developmental similarities between AcidRain and “dstr,” the name of a wiper module in VPNFilter. The resemblances included a 55 percent code similarity as measured by a tool known as TLSH, identical section header strings tables, and the “storing of the previous syscall number to a global location before a new syscall.”
Viasat officials said at the time that the SentinelOne analysis and findings were consistent with the outcome of their own investigation.
One of the first signs of the hack occurred when more than 5,800 wind turbines belonging to the German energy company Enercon were knocked offline. The outage didn’t stop the turbines from spinning, but it prevented engineers from remotely resetting them. Enercon has since managed to get most of the affected turbines back online and replace the satellite modems.
“The cyberattack took place one hour before Russia’s unprovoked and unjustified invasion of Ukraine on 24 February 2022 thus facilitating the military aggression,” EU officials wrote in an official statement. “This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States.”
In a separate statement, British Foreign Secretary Liz Truss said: “This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe.”
Repeat cyber offender
The cyberattack was one of many Russia has carried out against Ukraine over the past eight years. In 2015 and again in 2016, hackers working for the Kremlin caused electricity blackouts that left hundreds of thousands of Ukrainians without heat during one of the coldest months.
Starting around January 2022, in the lead-up to Russia’s invasion of its neighboring country, Russia unleashed a host of other cyberattacks against Ukrainian targets, including a series of distributed denial-of-service attacks, website defacements, and wiper attacks.
Besides the two attacks on Ukrainian electricity infrastructure, evidence shows Russia is also responsible for NotPetya, another disk wiper that was released in Ukraine and later spread around the world, where it caused an estimated $10 billion in damage. In 2018, the US sanctioned Russia for the NotPetya attack and interference in the 2016 election.
Critics have long said that the US and its allies didn’t do enough to punish Russia for NotPetya or the 2015 or 2016 attacks on Ukraine, which remain the only known real-world hacks to knock out electricity.