The US and the European Union said on Tuesday that Russia was responsible for a cyberattack in February that crippled a satellite network in Ukraine and neighboring countries, disrupted communications and a wind farm used to generate electricity.
The February 24 attack unleashed wiper malware that destroyed thousands of satellite modems used by customers of communications company Viasat. A month later, security firm SentinelOne said an analysis of the wiper malware used in the attack showed multiple technical similarities with VPNFilter, a piece of malware discovered on more than 500,000 home and small office modems in 2018. Multiple US government agencies attributed VPNFilter to Russian state threat actors.
Tens of thousands of modems removed by AcidRain
“Today, the United States, in support of the European Union and other partners, is publicly sharing its assessment that Russia carried out cyber attacks on commercial satellite communications networks in late February to disrupt Ukrainian command and control during the invasion, and those actions had spillover effects to other European countries. countries,” US Secretary of State Antony Blinken wrote in a statement. “The activity rendered useless terminals with very small openings in Ukraine and across Europe. This includes tens of thousands of terminals outside Ukraine that, among other things, support wind turbines and provide internet services to private individuals.”
AcidRain, the name of the wiper analyzed by SentinelOne, is a previously unknown piece of malware. Consisting of an executable file for the MIPS hardware in Viasat modems, AcidRain is the seventh separate piece of wiper malware associated with the ongoing Russian invasion of Ukraine. Wipers destroy data on hard drives in a way that cannot be undone. In most cases, they render devices or entire networks completely useless.
SentinelOne researchers said they found “non-trivial” but ultimately “inconclusive” development similarities between AcidRain and “dstr”, the name of a wiper module in VPNFilter. The similarities include 55 percent code similarity as measured by a tool known as TLSH, identical section header string tables, and “storing the previous syscall number in a global location before a new syscall.”
Viasat officials at the time said the SentinelOne analysis and findings were consistent with the outcome of their own investigation.
One of the first signs of the hack came when more than 5,800 wind turbines belonging to German energy company Enercon were taken offline. The outage didn’t stop the turbines from spinning, but it prevented technicians from resetting them remotely. Enercon has since managed to get most of the affected turbines back online and replace the satellite modems.
“The cyber-attack took place an hour before Russia’s unprovoked and unwarranted invasion of Ukraine on February 24, 2022, enabling military aggression,” EU officials wrote in an official statement. “This cyber-attack had a significant impact, causing random communication failures and disruptions to various government agencies, businesses and users in Ukraine, as well as affecting several EU Member States.”
In a separate statement, British Foreign Secretary Liz Truss said: “This is clear and shocking evidence of a deliberate and malicious attack by Russia on Ukraine that had significant repercussions on ordinary people and businesses in Ukraine and across Europe.”
Repeat cyber delinquent
The cyber attack was one of many that Russia has carried out against Ukraine in the past eight years. In 2015 and again in 2016, hackers working for the Kremlin caused power outages that left hundreds of thousands of Ukrainians without heating during one of its coldest months.
Beginning in January 2022, in the run-up to the Russian invasion of its neighbor, Russia unleashed a host of other cyberattacks against Ukrainian targets, including a series of distributed denial-of-service attacks, website defacements and wiper attacks.
In addition to the two attacks on Ukraine’s electricity infrastructure, evidence shows that Russia is also responsible for NotPetya, another disk wiper that was released in Ukraine and later distributed around the world, causing an estimated $10 billion in damage. In 2018, the US sanctioned Russia for the NotPetya attack and meddling in the 2016 election.
Critics have long said that the US and its allies have not done enough to punish Russia for NotPetya or the 2015 or 2016 attacks on Ukraine, the only known hacks in the real world to cut off the electricity.