{ "id": "a097c1ac-743e-4cf7-a56b-aca5b2f0258b", "created_at": "2026-04-06T00:08:58.44079Z", "updated_at": "2026-04-10T13:13:00.588235Z", "deleted_at": null, "sha1_hash": "0fa85dbc8bb26609211b2d53b355f94d34b03a76", "title": "AcidRain | A Modem Wiper Rains Down on Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4371265, "plain_text": "AcidRain | A Modem Wiper Rains Down on Europe\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2022-03-31 · Archived: 2026-04-05 15:28:42 UTC\r\nBy Juan Andres Guerrero-Saade (@juanandres_gs) and Max van Amerongen (@maxpl0it)\r\nExecutive Summary\r\nOn Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.\r\nSpillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for\r\nremote monitoring or control.\r\nViasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete\r\ndescription of the attack.\r\nSentinelLabs researchers discovered new malware that we named ‘AcidRain’.\r\nAcidRain is an ELF MIPS malware designed to wipe modems and routers.\r\nWe assess with medium-confidence that there are developmental similarities between AcidRain and a\r\nVPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter\r\ncampaign to the Russian government\r\nAcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.\r\nUpdate: In a statement disseminated to journalists, Viasat confirmed the use of the AcidRain wiper in the\r\nFebruary 24th attack against their modems.\r\nContext\r\nThe Russian invasion of Ukraine has included a wealth of cyber operations that have tested our collective\r\nassumptions about the role that cyber plays in modern warfare. Some commentators have voiced a bizarre\r\ndisappointment at the ‘lack of cyber’ while those at the coalface are overwhelmed by the abundance of cyber\r\noperations accompanying conventional warfare. From the beginning of 2022, we have dealt with six different\r\nstrains of wiper malware targeting Ukraine: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper,\r\nand DoubleZero. These attacks are notable on their own. But there’s been an elephant in the room by way of the\r\nrumored ‘satellite modem hack’. This particular attack goes beyond Ukraine.\r\nWe first became aware of an issue with Viasat KA-SAT routers due to a reported outage of 5,800 Enercon wind\r\nturbines in Germany. To clarify, the wind turbines themselves were not rendered inoperable but “remote\r\nmonitoring and control of the wind turbines” became unavailable due to issues with satellite communications. The\r\ntiming coincided with the Russian invasion of Ukraine and suspicions arose that an attempt to take out Ukrainian\r\nmilitary command-and-control capabilities by hindering satellite connectivity spilled over to affect German\r\ncritical infrastructure. No technical details became available; technical speculation has been rampant.\r\nOn Wednesday, March 30th, 2022, Viasat finally released a statement stating that the attack took place in two\r\nphases: First, a denial of service attack coming from “several SurfBeam2 and SurfBeam2+ modems and […other\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 1 of 10\n\non-prem equipment…] physically located within Ukraine” that temporarily knocked KA-SAT modems offline.\r\nThen, the gradual disappearance of modems from the Viasat service. The actual service provider is in the midst of\r\na complex arrangement where Eutalsat provides the service, but it’s administered by an Italian company called\r\nSkylogic as part of a transition plan.\r\nThe Viasat Explanation\r\nAt the time of writing, Viasat has not provided any technical indicators nor an incident response report. They did\r\nprovide a general sense of the attack chain with conclusions that are difficult to reconcile.\r\nViasat reports that the attackers exploited a misconfigured VPN appliance, gained access to the trust management\r\nsegment of the KA-SAT network, moved laterally, then used their access to “execute legitimate, targeted\r\nmanagement commands on a large number of residential modems simultaneously”. Viasat goes on to add that\r\n“these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to\r\naccess the network, but not permanently unusable”.\r\nIt remains unclear how legitimate commands could have such a disruptive effect on the modems. Scalable\r\ndisruption is more plausibly achieved by pushing an update, script, or executable. It’s also hard to envision how\r\nlegitimate commands would enable either the DoS effects or render the devices unusable but not permanently\r\nbricked.\r\nIn effect, the preliminary Viasat incident report posits the following requirements:\r\n1. Could be pushed via the KA-SAT management segment onto modems en masse\r\n2. Would overwrite key data in the modem’s flash memory\r\n3. Render the devices unusable, in need of a factory reset or replacement but not permanently unusable.\r\nWith those requirements in mind, we postulate an alternative hypothesis: The threat actor used the KA-SAT\r\nmanagement mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for\r\nthis kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of\r\nreflashing or replacing.\r\nSubsequent to this post being published, Viasat confirmed to journalists that our analysis was consistent with their\r\nreports.\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 2 of 10\n\nViasat told BleepingComputer that “The analysis in the SentinelLabs report regarding the ukrop binary is\r\nconsistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run\r\non the modems using a legitimate management command as Viasat previously described”.\r\nThe AcidRain Wiper\r\nOn Tuesday, March 15th, 2022, a suspicious upload caught our attention. A MIPS ELF binary was uploaded to\r\nVirusTotal from Italy with the name ‘ukrop’. We didn’t know how to parse the name accurately. Possible\r\ninterpretations include a shorthand for “ukr”aine “op”eration, the acronym for the Ukrainian Association of\r\nPatriots, or a Russian ethnic slur for Ukrainians – ‘Укроп’. Only the incident responders in the Viasat case could\r\nsay definitively whether this was in fact the malware used in this particular incident. We posit its use as a fitting\r\nhypothesis and will describe its functionality, quirky development traits, and possible overlaps with previous\r\nRussian operations in need of further research.\r\nTechnical Overview\r\nSHA256 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a\r\nSHA1 86906b140b019fdedaaba73948d0c8f96a6b1b42\r\nMD5 ecbe1b1e30a1f4bffaf1d374014c877f\r\nName ukrop\r\nMagic ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped\r\nFirst Seen 2022-03-15 15:08:02 UTC\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 3 of 10\n\nAcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the\r\nattackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic\r\nand reusable. The binary performs an in-depth wipe of the filesystem and various known storage device files. If\r\nthe code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the\r\nfilesystem.\r\nRecursively delete files in nonstandard folders\r\nFollowing this, it attempts to destroy the data in the following storage device files:\r\nTargeted Device(s) Description\r\n/dev/sd* A generic block device\r\n/dev/mtdblock* Flash memory (common in routers and IoT devices)\r\n/dev/block/mtdblock* Another potential way of accessing flash memory\r\n/dev/mtd* The device file for flash memory that supports fileops\r\n/dev/mmcblk* For SD/MMC cards\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 4 of 10\n\n/dev/block/mmcblk* Another potential way of accessing SD/MMC cards\r\n/dev/loop* Virtual block devices\r\nThis wiper iterates over all possible device file identifiers (e.g., mtdblock0 – mtdblock99), opens the device file,\r\nand either overwrites it with up to 0x40000 bytes of data or (in the case of the /dev/mtd* device file) uses the\r\nfollowing IOCTLS to erase it: MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB. In order\r\nto make sure that these writes have been committed, the developers run an fsync syscall.\r\nThe code that generates the malicious data used to overwrite storage\r\nWhen the overwriting method is used instead of the IOCTLs, it copies from a memory region initialized as an\r\narray of 4-byte integers starting at 0xffffffff and decrementing at each index. This matches what others had\r\nseen after the exploit had taken place.\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 5 of 10\n\nSide-by-side comparison of a Surfbeam2 modem pre- and post-attack\r\nThe code for both erasure methods can be seen below:\r\nMechanisms to erase devices: write 0x40000 (left) or use MEM* IOCTLS (right)\r\nOnce the various wiping processes are complete, the device is rebooted.\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 6 of 10\n\nRedundant attempts to reboot the device\r\nThis results in the device being rendered inoperable.\r\nAn Interesting Oddity\r\nDespite what the Ukraine invasion has taught us, wiper malware is relatively rare. More so wiper malware aimed\r\nat routers, modems, or IoT devices. The most notable case is VPNFilter, a modular malware aimed at SOHO\r\nrouters and QNAP storage devices, discovered by Talos. This was followed by an FBI indictment attributing the\r\noperation to Russia (APT28, in particular). More recently, the NSA and CISA attributed VPNFilter to Sandworm\r\n(a different threat actor attributed to the same organization, the Russian GRU) as the U.K.’s National Cyber\r\nSecurity Centre (NCSC) described VPNFilter’s successor, Cyclops Blink.\r\nVPNFilter included an impressive array of functionality in the form of multi-stage plugins selectively deployed to\r\nthe infected devices. The functionality ranges from credential theft to monitoring Modbus SCADA protocols.\r\nAmong its many plugins, it also included functionality to wipe and brick devices as well as DDoS a target.\r\nThe reason we bring up the specter of VPNFilter is not because of its superficial similarities to AcidRain but\r\nrather because of an interesting (but inconclusive) code overlap between a specific VPNFilter plugin and\r\nAcidRain.\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 7 of 10\n\nVPNFilter Stage 3 Plugin – ‘dstr’\r\nSHA256 47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6\r\nSHA1 261d012caa96d3e3b059a98388f743fb8d39fbd5\r\nMD5 20ea405d79b4de1b90de54a442952a45\r\nDescription VPNFilter Stage 3, ‘dstr’ module\r\nMagic ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped\r\nFirst Seen 2018-06-06 13:02:56 UTC\r\nAfter the initial discovery of VPNFilter, additional plugins were revealed by researchers attempting to understand\r\nthe massive spread of the botnet and its many intricacies. Among these were previously unknown plugins,\r\nincluding ‘dstr’. As the mangled name suggests, it’s a ‘destruction’ module meant to supplement stage 2 plugins\r\nthat lacked the ‘kill’ command meant to wipe the devices.\r\nThis plugin was brought to our attention initially by tlsh fuzzy hashing, a more recent matching library that’s\r\nproven far more effective than ssdeep or imphash in identifying similar samples. The similarity was at 55% to\r\nAcidRain with no other samples being flagged in the VT corpus. This alone is not nearly enough to conclusively\r\njudge the two samples as tied, but it did warrant further investigation.\r\nVPNFilter and AcidRain are both notably similar and dissimilar. They’re both MIPS ELF binaries and the bulk of\r\ntheir shared code appears to stem from statically-linked libc. It appears that they may also share a compiler, most\r\nclearly evidenced by the identical Section Headers Strings Tables.\r\nSection Headers Strings Tables for VPNFilter and AcidRain\r\nAnd there are other development quirks, such as the storing of the previous syscall number to a global location\r\nbefore a new syscall. At this time, we can’t judge whether this is a shared compiler optimization or a strange\r\ndeveloper quirk.\r\nMore notably, while VPNFilter and AcidRain work in very different ways, both binaries make use of the\r\nMEMGETINFO, MEMUNLOCK, and MEMERASE IOCTLS to erase mtd device files.\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 8 of 10\n\nOn the left, AcidRain; on the right, VPNFilter\r\nThere are also notable differences between VPNFilter’s ‘dstr’ plugin and AcidRain. The latter appears to be a far\r\nsloppier product that doesn’t consistently rise to the coding standards of the former. For example, note the\r\nredundant use of process forking and needless repetition of operations.\r\nThey also appear to serve different purposes, with the VPNFilter plugin targeting specific devices with hardcoded\r\npaths, and AcidRain taking more of a “one-binary-fits-all” approach to wiping devices. By brute forcing device\r\nfilenames, the attackers can more readily reuse AcidRain against more diverse targets.\r\nWe invite the research community to stress test this developmental overlap and contribute their own findings.\r\nConclusions\r\nAs we consider what’s possibly the most important cyber attack in the ongoing Russian invasion of Ukraine, there\r\nare many open questions. Despite Viasat’s statement claiming that there was no supply-chain attack or use of\r\nmalicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed\r\nAcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation.\r\nWhile we cannot definitively tie AcidRain to VPNFilter (or the larger Sandworm threat cluster), we note a\r\nmedium-confidence assessment of non-trivial developmental similarities between their components and hope the\r\nresearch community will continue to contribute their findings in the spirit of collaboration that has permeated the\r\nthreat intelligence industry over the past month.\r\nReferences\r\nhttps://www.wired.com/story/viasat-internet-hack-ukraine-russia/\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-076a\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 9 of 10\n\nhttps://www.airforcemag.com/hackers-attacked-satellite-terminals-through-management-network-viasat-officials-say/\r\nhttps://nps.edu/documents/104517539/104522593/RELIEF12-4_QLR.pdf/9cc03d09-9af4-410e-b601-\r\na8bffdae0c30\r\nhttps://www.reuters.com/business/media-telecom/exclusive-hackers-who-crippled-viasat-modems-ukraine-are-still-active-company-2022-03-30/\r\nhttps://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nhttps://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1\r\nhttps://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html\r\nhttps://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf\r\nhttps://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-054a\r\nSource: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/" ], "report_names": [ "acidrain-a-modem-wiper-rains-down-on-europe" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434138, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0fa85dbc8bb26609211b2d53b355f94d34b03a76.pdf", "text": "https://archive.orkl.eu/0fa85dbc8bb26609211b2d53b355f94d34b03a76.txt", "img": "https://archive.orkl.eu/0fa85dbc8bb26609211b2d53b355f94d34b03a76.jpg" } }