At the end of February, a cyber attack hit Viasat’s modems located in Ukraine. “Accidental” damage from the attack caused about 5,800 Enercon wind turbines in Germany to be cut off from the grid.
Sentinel One investigators examined the statement released by Viasat on March 30 and found that it did not provide a satisfactory explanation for the nature of the attack. They investigated and found an “eraser” (a villain whose purpose is to delete information) that was activated in the attack, and gave it the name AcidRain.
This deletion is related to another deletion called VPNFilter which was already identified in 2018 by the US Department of Justice as a tool of Russian attackers, which indicates with high probability that the current source of the attack is in Russia.
Sentinel One investigators point to the fact that AcidRain is the seventh Russian eraser to be used against Ukrainian elements since the beginning of the current campaign.
Activity in cyberspace accompanied the battle between Russia and Ukraine from day one (in fact – offensive cyber activity began even before the movement of forces on the ground). The Russians used a variety of techniques and tactics – denial of service attacks, fraud and deception operations in networks and intelligence gathering activities. But their main activity has focused on activating erasers – aggressive villains who locate information and perform destructive actions that prevent access to sensitive information.
The attack on the satellite communications company exceeds the limits of the known conflict. The story became known to the media when the German company Enercon reported a malfunction in wind turbines that damaged their communications connection which was based on satellite communications.
The timing of the incident has raised grave concerns that it is another part of Russia’s spectrum warfare that has attacked and damaged Ukraine’s military communications infrastructure. In late March, more than a month after the incident, Viasat released an official statement that provided additional privacy.
According to the company, the attack was carried out in two phases: a denial of service attack that came from modems located in Ukraine that prevented momentary access to viasat satellite modems in Germany. Later, Viasat modems began to disconnect from the network (and with them – the ability to communicate and control with wind turbines).
According to the company, attackers took advantage of an open VPN connection to infiltrate the network, carry out a supply chain attack and send a version update to a satellite modem, which is the one that caused the malfunction.
Sentinel One investigators located an example of the file, analyzed it and concluded that it was most likely related to an earlier Russian erasure, and that it was in fact a sophisticated Russian attack on satellite communications equipment.
The researchers estimate that there was no intention to damage the wind turbines (or other bodies that use the satellite modem of this model), and that this was “incidental damage.”