Draft:AcidRain

AcidRain (malware)

AcidRain is a data-wiping malware designed to target routers and modems. It was deployed in the cyberattack against the KA-SAT satellite broadband service operated by Viasat, causing widespread disruptions in Ukraine and Europe on February 24, 2022, coinciding with the Russian invasion of Ukraine.

Background

Viasat Attack

On February 24, 2022, AcidRain was used to wipe satellite communication modems, disrupting internet service for thousands of users in Ukraine and tens of thousands more across Europe. The attack on Viasat's KA-SAT network severely impacted critical infrastructure and communications, including wind farms in Germany and other European countries.^[1]

Malware Characteristics

AcidRain is an ELF binary targeting devices with MIPS architecture. It was designed to brute-force device file names and systematically wipe all accessible files, making it versatile for reuse in future attacks. The malware erases data by performing an in-depth wipe of the filesystem and various known storage devices, including flash memory, SD/MMC cards, and virtual block devices. After completing the data destruction process, AcidRain reboots the device, rendering it unusable.^[2]^[3]

Attribution

The cyberattack involving AcidRain has been attributed to the Russian military intelligence agency (GRU). Specifically, the Sandworm Team, a hacking group associated with the GRU, was linked to this operation. This attribution has been supported by the European Union, the United Kingdom, the United States, and Ukraine.^[4]^[2]

Technical Details

Operation

Once deployed, AcidRain iterates over device file identifiers, opening each device file and either overwriting it or using various IOCTL commands to erase it. The malware uses commands like MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB to wipe data comprehensively. SentinelOne researchers first identified the malware in March 2022 after it was uploaded to the VirusTotal platform.^[3]

Impact

The deployment of AcidRain in the Viasat attack is considered part of Russia's broader hybrid warfare strategy, integrating cyber operations with conventional military actions. This attack on satellite communication infrastructure had significant spillover effects, impacting both military and civilian communications across Europe. Viasat confirmed the use of legitimate management commands to deploy the malware, aligning with the theory of a supply-chain attack.^[1]^[3]

References

^ ^a ^b O'Neill, Patrick Howell (2022-05-10). "Russia hacked an American satellite company one hour before the Ukraine invasion". MIT Technology Review.
^ ^a ^b "AcidRain". MITRE ATT&CK. 2024-03-25.
^ ^a ^b ^c Gatlan, Sergiu (2022-03-31). "Viasat confirms satellite modems were wiped with AcidRain malware". BleepingComputer.
^ "Case Study: Viasat Attack". CyberPeace Institute. 2022.

[TechReview-1] O'Neill, Patrick Howell (2022-05-10). "Russia hacked an American satellite company one hour before the Ukraine invasion". MIT Technology Review.

[MITRE-2] "AcidRain". MITRE ATT&CK. 2024-03-25.

[BleepingComputer-3] Gatlan, Sergiu (2022-03-31). "Viasat confirms satellite modems were wiped with AcidRain malware". BleepingComputer.

[CyberPeace-4] "Case Study: Viasat Attack". CyberPeace Institute. 2022.

[1]

[2]

[3]

[4]