Wiper Malware: An Increasing Threat to Satellite and IOT Enabled Capabilities

Over the course of the last decade, malicious cyber campaigns have become a regular occurrence in a multitude of industries, and the preponderance for threat actors to move laterally within networks is of particular concern to the space sector. Throughout 2022, researchers and cyber threat analysts saw several instances of what is known as ‘Wiper Malware’, which is a certain type of malware intended to completely wipe hard disks and completely destroy data. While some attack tactics seek to gain information by exfiltrating and obfuscating data or encrypting files with the hopes of selling data back to its owner (as is the case with ransomware), wiper attacks seek to disrupt, and deny capabilities by destroying data. This type of attack vector can be especially severe for satellite technology that prioritizes uptime to provide essential services.

While many cyber professionals consider wiper attacks to be rare, analysts have observed over eight different strains of wiper malware in 2022 alone. Researchers at Sentinel Labs first alleged that it was a wiper malware, known as ‘AcidRain’ that played a key role in the cyberattack on Viasat’s KA-SAT in early 2022. The attack resulted in mass outages for thousands who rely on satellite technology for internet connectivity and internet of things (IoT) capabilities. Its impact to supported infrastructure was seen by the estimated 5,800 wind turbines that were disrupted as supporting satellite modems were taken offline.

Viasat later confirmed the use of AcidRain in the attack, stating that “the data destroying malware was deployed on modems using ‘legitimate management’ commands”. While the impact of the attack extended to on-orbit assets, it was initiated on the ground, by exploiting a misconfigured VPN in a ground station, according to Viasat’s record of the attack, published on March 30, 2022. Researchers at Sentinel Labs alleged that the threat actors were able to move laterally and deploy AcidRain to wipe modems, “overwriting key data in flash memory… rendering the modems unable to access the network”. Even though the attack vector was exploited at the terrestrial layer, the impacts affected on-orbit assets and supported critical infrastructure.

The attack against the network was a “deliberate, isolated, and external cyber event,” according to Viasat spokesperson Chris Phillips. The use of wiper malware in the attack vector informs analysts that the motivation behind the attack was disruption. Adversaries were not intent on exfiltrating essential data from satellite downlinks, but rather to disrupt the critical services enabled by the KA-SAT satellite. In 2022, there has been a significant increase in the number of wiper variants and recorded wiper attacks, which can pose a direct threat to satellite supporting ground infrastructure. The ever-growing attack-surface on the ground can create a plethora of attack vectors if left exposed. This gives adversaries the ability to conduct covert cyber operations that can deny and disrupt capabilities enabled by satellite technology, without the need to touch the asset itself.

Read more from Space ISAC.