On Thursday, February 24, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine, according to a recent Viasat report. Collateral damage from this attack also deactivated the remote monitoring or control of 5,800 Enercon wind turbines in Germany.

The cause of the attack was allegedly a newly discovered data wiper malware that wipes routers and modems. Dubbed AcidRain, the malware was deployed to target the KA-SAT satellite broadband service to wipe SATCOM modems. This incident affected thousands of modems in Ukraine and tens of thousands more across Europe.

What Is Wiper Malware?

When threat actors launch wiper malware attacks, they often aren’t asking for ransom. Instead, wiper malware leads to the destruction or wiping of data. For example, the Shamoon variant struck Saudi Aramco and other Middle Eastern oil companies between 2012 and 2016. Shamoon breached computers and destroyed over 30,000 hard drives using a direct drive access driver called RawDisk.

The Shamoon wiper spreads itself through shared network disks. It jumps between devices and makes it impossible to recover destroyed data. The RawDisk driver overwrites disks and then wipes the master boot record, which also prevents the system from booting up.

Meanwhile, Meteor wiper malware can change passwords, disable recovery mode and issue malicious commands. Other well-known wiper malware types include NotPetya and ZeroCleare.

AcidRain Wiper Malware Incident Details

AcidRain can brute-force device file names and wipe every file it can find. A Viasat company blog post said the incident began when “high volumes of focused, malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online.”

According to the Viasat post, tens of thousands of modems dropped off the network. The modems did not attempt to re-enter the network, either. The attack impacted a large number of modems within Ukraine and a substantial number of other devices throughout Europe.

Widespread Use of Wiper Malware Attacks

Since the start of 2022, six strains of wiper malware have been connected with the conflict in Ukraine: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.

AcidRain is now the seventh wiper attack that has affected Ukraine. However, the impact of this incident spread widely. During these uncertain times, many are calling for all organizations to strengthen their security posture. Some best practices include:

  • Remain on high alert given the rapidly evolving situation
  • Maintain a robust and well-tested backup and recovery plan and Include immutable backups in the plan
  • Drill your incident response plan
  • Engage in threat hunting to find latent actors
  • Thoroughly review third party vendor access
  • Implement NetFlow monitoring at all egress points
  • Review CISA and NCSC guidance for malware threats.

Cybersecurity threat resources related to the Russia-Ukraine war are readily available. It’s important to make sure you update organizational security strategies to meet current challenges.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…