The United States and the European Union on Tuesday said Russia was responsible for a cyberattack in February that crippled a satellite network in Ukraine and neighboring countries, disrupted communications and a wind farm used to generate electricity.
The February 24 attack released wiper malware destroyed thousands of satellite modems used by Viasat customers. A month later, security firm SentinelOne said that the analysis of the wiper malware used in the attack had many technical similarities to VPNFilter, part of the malware detected on more than 500,000 home and small office modems in 2018. Several U.S. government agencies attributed VPNFilter to Russian government threats.
Tens of thousands of modems have been removed by AcidRain
“Today, in support of the European Union and other partners, the United States publicly shares its assessment that Russia launched cyber attacks on commercial satellite networks in late February to disrupt Ukrainian command and control during the invasion, and these actions had side effects. to other European countries, ”wrote US Secretary of State Anthony Blinken statement. “This activity has disabled terminals with very small apertures in Ukraine and across Europe. These are tens of thousands of terminals outside Ukraine, which, among other things, support wind turbines and provide Internet services to private citizens.
AcidRain, the name of the wiper analyzed by SentinelOne, is a previously unknown part of the malware. AcidRain, which consists of an executable file for MIPS hardware in Viasat modems, is the seventh separate malware associated with the Russian invasion of Ukraine. Cleaners destroy data on hard drives in a way that cannot be undone. In most cases, they make devices or entire networks completely unusable.
SentinelOne researchers said they found a “non-trivial” but ultimately “unfeasible” similarity in development between AcidRain and “dstr”, the name of the wiper module in VPNFilter. The similarity included a 55 percent code similarity measured using a tool known as TLSH, identical partition header string tables, and “storing the previous system call number in a global location before a new system call”.
At the time, Viasat officials said SentinelOne’s analysis and findings were consistent with the results of their own investigation.
One of the first signs of burglary occurred when more than 5,800 wind turbines owned by German energy company Enercon were shut down. The shutdown did not prevent the turbines from spinning, but prevented the engineers from remotely reloading them. Since then, Enercon has managed to return most of the affected turbines to the network and replace satellite modems.
“The cyberattack took place an hour before Russia’s unprovoked and unjustified invasion of Ukraine on February 24, 2022, which contributed to military aggression,” EU officials said in a statement. official statement. “This cyber attack had a significant impact, causing indiscriminate disruptions and disruptions in several government agencies, businesses and users of Ukraine, and affected several EU member states.”
У separate statementBritish Foreign Secretary Liz Trass said: “This is clear and shocking evidence of Russia’s deliberate and vicious attack on Ukraine, which has had significant consequences for ordinary people and businesses in Ukraine and throughout Europe.”
The cyberattack was one of many that Russia has carried out against Ukraine over the past eight years. У 2015 and again in 2016hackers working for the Kremlin caused a power outage, leaving hundreds of thousands of Ukrainians without heat in one of the coldest months.
Beginning around January 2022, on the eve of Russia’s invasion of the neighboring country, Russia launched a number of other cyberattacks against Ukrainian facilities, including a series of distributed denial-of-service attacks, website depletion, and wiper attacks.
In addition to two attacks on Ukraine’s electricity infrastructure, evidence shows that Russia is also responsible for NotPetya, another disk cleaner that was released in Ukraine and later spread worldwide, where it is estimated to have damaged an estimated $ 10 billion. In 2018, the United States sanctioned Russia for the NotPetya attack and interference in the 2016 election.
Critics for a long time said that the US and its allies have not done enough to punish Russia for NotPetya or the attacks on Ukraine in 2015 or 2016, which remain the only known hackers in the real world to cut off electricity.