Threat Research

AcidRain | A Modem Wiper Rains Down on Europe

Securonix

SentinelLabs describes AcidRain, an ELF MIPS wiper that targets modems and routers to overwrite flash storage, in the context of the KA-SAT outage tied to the Russia-Ukraine conflict. The report also notes potential overlaps with VPNFilter/Sandworm activity and confirms AcidRain’s use against Viasat modems, with broader implications for European infrastructure and prior wiper campaigns. #AcidRain #VPNFilter #Sandworm #Viasat #KA-SAT #Enercon #Ukraine #Russia

Keypoints

  • AcidRain is a MIPS ELF wiper designed to erase filesystem data and flash memory on modems/routers, potentially rendering devices inoperable.
  • The campaign is linked to the February 24, 2022 KA-SAT outage that affected remote monitoring of 5,800 Enercon wind turbines in Germany.
  • Viasat described a two-phase attack: a DoS event from SurfBeam modems followed by gradual removal of modems from service, with attackers using legitimate management commands.
  • There is a plausible supply-chain angle in which KA-SAT management mechanisms could push a modem/router wiper to devices.
  • AcidRain’s wiping behavior targets multiple device files (e.g., /dev/sd*, /dev/mtdblock*, /dev/mmcblk*) and uses IOCTLs to erase flash, then reboots the device.
  • Researchers note developmental similarities between AcidRain and VPNFilter’s Stage 3 plugin, suggesting potential overlap with Russian threat activity, though not definitively tied.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. “The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers.”
  • [T1133] External Remote Services – Access gained by exploiting a misconfigured VPN appliance, gaining access to the trust management segment of the KA-SAT network, moved laterally, then used their access to “execute legitimate, targeted management commands” on a large number of residential modems simultaneously. “
  • [T1499] Endpoint Denial of Service – A denial of service attack from multiple modems temporarily knocked KA-SAT modems offline. “First, a denial of service attack coming from ‘several SurfBeam2 and SurfBeam2+ modems and […] other on-prem equipment…’ physically located within Ukraine”.”
  • [T1485] Data Destruction – The wiper overwrote key data in flash memory on the modems, rendering them unable to access the network (though not permanently unusable). “these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”
  • [T1021] Lateral Movement – Attackers gained access to the KA-SAT network and moved laterally to target a large number of devices with legitimate management commands. “moved laterally, then used their access to ‘execute legitimate, targeted management commands’ on a large number of residential modems simultaneously.”

Indicators of Compromise

  • [File Hash] 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a – AcidRain ukrop binary SHA256 hash (First Seen 2022-03-15 15:08:02 UTC)
  • [File Hash] 86906b140b019fdedaaba73948d0c8f96a6b1b42 – VPNFilter/Similar plugin indicators (SHA1)
  • [File Name] ukrop – Name of the MIPS ELF binary uploaded to VirusTotal
  • [Device File] /dev/sd* – Generic block device targeted by wiping operations
  • [Device File] /dev/mtdblock* – Flash memory device targeted by wiping operations

Read more: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/