Less than an hour before Russian troops invaded Ukraine, hackers targeted the ground infrastructure of U.S. satellite company Viasat, partially blocking internet access in Europe.
The 2023 CrowdStrike Global Threat Report, released this week, highlights the use of AcidRain malware which appeared explicitly designed to disrupt Viasat satellite communications network segments providing internet connectivity to Ukraine.
In what might have been an unintended spillover effect, at least three internet service providers across Europe were also affected, resulting in outages for tens of thousands of customers and the disruption of around 5,800 wind turbines operated by Enercon in Germany.
Researchers have confirmed that the attacker entered AcidRain malware through a vulnerable virtual private network or VPN controlled by Skylogic in Turin, Italy. VPN software only allows authorised users to join a company’s internal network remotely.
From there, the malware moved into one of Viasat’s crown jewels, “the trusted management segment of the KA-SAT network,” according to a report released by Viasat.
Although the KA-SAT was not itself damaged, the attacker sent commands to thousands of modems via the satellite’s 82 spot beams received by satellite dishes around Europe.
Once in the ground network, the AcidRain malware attacked the flash memory of Viasat’s SurfBeam modems. As a result, some 45,000 modems and routers were flooded with junk data, wiping out the flash memory. By April, Viasat shipped 30,000 replacement modems to bring customers back online.
CrowdStrike reports that Russia’s cyber operations against Ukraine continue, but with a marked reduction in capability, likely reflecting a lack of planning beyond the Kremlin’s expectations of a short military conflict.