In a prior post titled “Missed Calls for SATCOM Cybersecurity: SATCOM Terminal Cyberattacks Open the War in Ukraine,” I shared three hypotheses about the identity of the threat actor responsible for the SATCOM terminal attacks that opened the war. On 31 March 2022, shortly after my post went live, other posts examining forensic evidence from the attack provided some of the additional information needed to support or reject these hypotheses.
Open-Source Forensic Analysis
Ruben Santamarta published a blog post titled “VIASAT Incident: From Speculation to Technical Details” with a forensic analysis of a compromised Surfbeam2 modem. In it, he reviews the Viasat blog post covering the cyberattack and analyses the flash memory from both a compromised and working Surfbeam2 modem. His results showed that the overwrite pattern used on the firmware was identical to that used the AcidRain wiper malware.
Later the same day, a couple of analysts at SentinelOne posted their findings on the AcidRain malware titled “AcidRain | A Modem Wiper Rains Down on Europe.” They analyzed a malware sample uploaded to VirusTotal with the interesting name of ‘ukrop.’ They conclude, “While we cannot definitively tie AcidRain to VPNFilter (or the larger Sandworm threat cluster), we note a medium-confidence assessment of non-trivial developmental similarities between their components and hope the research community will continue to contribute their findings in the spirit of collaboration that has permeated the threat intelligence industry over the past month.”
The VPNFilter malware has been attributed to a specific unit of the Russian General Staff Main Intelligence Directorate (GRU), the GTsST, also known as Unit 74455. This unit has developed other derivatives of the VPNFilter malware, such as Cyclops Blink. This group is also known by the name Sandworm among others. The GTsST has on occasion operated jointly with GRU Unit 26165, which is also referred to as APT28. Additional information about Russian-linked cyberoperations elements can be found in the detailed April 2022 Joint Cybersecurity Advisory Alert (AA22-110A) from CISA.
This additional open-source forensic and analytical information supports two of the initial hypotheses about the identity of the threat actor responsible for the Viasat cyberattack: an element of Russian military intelligence (GRU unit) or a collaboration between elements of Russian special services. Without any secret intelligence, a favored hypothesis emerged, which is one or more elements of the GRU. The hypothesis of the Russian FSB-linked Turla group should be disfavored based on this additional evidence.
It would be interesting to see a comparative analysis of the AcidRain and Cyclops Blink malware variants. While they have different target devices and platforms, any similarities could provide additional insights.
Intelligence Agency Public Attributions
On 10 May 2022, numerous governments made public attributions on the identity of this threat actor. Australia, Canada, Estonia, the EU,, the UK, and the US varyingly attributed the 24 Feb 2022 Viasat SATCOM cyberattack to Russia and specific Russian cyber operation elements. Concurrently, New Zealand issued a more broadly worded communique referencing Russian cyberattacks in Ukraine without specifically mentioning the Viasat SATCOM attack.
Many of the statements mentioned spillover, however, I will share some thoughts in a future blog post on how this was much more likely a case of ‘pour-over’ (intentional, plausibly deniable spillover) rather than true spillover.
The weight of open-source forensics evidence and the public attributions made by numerous national intelligence services suggests that the threat actor responsible for the Viasat SATCOM terminal attack on 24 February 2022 was almost certainly the Russian General Staff Main Intelligence Directorate (GRU). Moreover, the open-source forensic analysis indicates it was likely the GTsST (Unit 74455) operating alone or jointly with another GRU element.