DECLASSIFIED TLP: CLEAR Data Pull: 2026-05-19 21:41:32

Viasat KA-SAT Network Sabotage

Operation AcidRain / GRU Unit 74455

Date of Incident

2022-02-24 05:00 UTC

Target Infrastructure

Eutelsat KA-SAT 9A

Threat Actor

Sandworm (RU)

PAYLOAD

AcidRain (ELF MIPS)

EXECUTIVE SUMMARY: On the eve of the kinetic invasion of Ukraine, Russian military intelligence executed a highly coordinated supply-chain attack against the Viasat KA-SAT satellite network. By exploiting a VPN misconfiguration at a ground station in Turin, Italy, threat actors deployed a custom wiper malware to tens of thousands of customer edge devices, resulting in catastrophic communication failures across Ukraine and severe collateral infrastructure damage across Europe.

INITIALIZE GEOSPATIAL VIEW VIEW THREAT GRAPH

SIGINT Intercept // Turin GW

Executive Brief // BLUF

PRIMARY ACTOR

GRU / Sandworm

Russian military intelligence apparatus, specifically Unit 74455, responsible for prior disruptive cyber-physical attacks (NotPetya, Industroyer).

STRATEGIC TARGET

Viasat KA-SAT Network

High-speed satellite broadband network providing critical communication links across Europe, heavily relied upon by Ukrainian military forces.

TACTICAL OBJECTIVE

C2 Disruption (Kinetic Prep)

Severing Ukrainian military command and control (C2) capabilities immediately preceding the physical invasion on Feb 24, 2022.

COLLATERAL IMPACT

Severe Spillover

30,000+ modems bricked EU-wide. Severe collateral damage affecting German wind turbine infrastructure (Enercon) and broader European broadband customers.

Impact Metrics Dashboard

End User Devices Compromised

Total Modems Bricked (Est.)

Critical Infrastructure Collateral

Enercon Wind Turbines Offline (DE)

Time To Total Loss

45MIN

From malware push to network failure

Network Traffic Anomaly (04:00 - 06:00 UTC)

Malicious Volume Spike

Device Impact by Region

Sector Impact Severity

INITIALIZING_GEOSPATIAL_ENGINE...

TARGET_VECTORS

ORIGIN_NODE

LOC: 55.7558, 37.6173

Command and control originating from GRU infrastructure.

BREACH_POINT

LOC: 45.0703, 7.6868

Skylogic ground station compromised via VPN appliance.

PRIMARY_TARGET

LOC: 50.4501, 30.5234

Destruction of modems within Ukraine to disable military comms.

SAT_LINK: KA-SAT 9A

ORBIT: GEO 9°E

MODEMS_LOST: ~30,000

Event Chronology Log

TIMEZONE: UTC

2022-02-23
PRE-INVASION

Initial Infrastructure Breach

TA ACTIVITY

Threat actors (attributed to Sandworm) exploit a misconfigured VPN appliance to gain unauthorized access to the trusted management segment of the KA-SAT network at Skylogic's ground station in Turin, Italy.

2022-02-24
05:00 UTC

Phase 1: Traffic Anomaly

NET ANOMALY

Coinciding with the start of the kinetic invasion of Ukraine, high volumes of malicious traffic originate from modems within Ukraine, causing initial network congestion and DoS conditions.

2022-02-24
05:02 UTC

Phase 2: Mass Payload Deployment

CRITICAL EVENT

Attackers move laterally and abuse trusted management commands to deploy the AcidRain wiper malware. The binary recursively wipes the filesystem of tens of thousands of modems simultaneously and forces a reboot.

> EXEC_CMD: push_update --target=all --binary=acidrain

> STATUS: 30,000+ devices unresponsive

POST-EVENT
ANALYSIS

Collateral Damage Assessment

IMPACT ASSESSMENT

Massive collateral damage reported across Europe. Most notably, ~5,800 Enercon wind turbines in Germany lose remote monitoring and control capabilities. Modems require physical replacement or manual reflashing by technicians.

TACTICAL_WORKFLOW // MITRE ATT&CK

T1133

INITIAL ACCESS

VPN Exploitation

Exploited misconfigured VPN appliance to breach Turin ground station.

T1570

LATERAL MOVEMENT

Network Traversal

Navigated from the VPN entry point into the trusted KA-SAT management segment.

T1072

EXECUTION

Payload Delivery

Used legitimate management tools to push the AcidRain wiper disguised as a firmware update.

T1485

IMPACT

Data Destruction

AcidRain executes, overwrites flash memory, and bricks ~30,000+ modems instantly.

Payload Signature Analysis

AcidRain Wiper

A Linux MIPS ELF binary designed specifically to render embedded devices (modems, routers) inoperable. It utilizes a brute-force wiping approach, performing an in-depth, recursive wipe of the filesystem.

INDICATORS_OF_COMPROMISE (IOCs)

TYPE	VALUE
SHA-256	d00083bd1b26f584e85743c5b8e968037004fdbfa14cb351f08f83034293f0b4
FILE_TYPE	ELF 32-bit LSB executable (MIPS)
FAMILY	VPNFilter / AcidPour
TARGET_ARCH	MIPS (Big-endian / Little-endian)

BINARY_ANALYSIS // ELF_HEADER

7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 02 00 08 00 01 00 00 00 10 02 40 00 34 00 00 00 |..........@.4...| 00 00 00 00 00 00 00 05 34 00 20 00 03 00 28 00 |........4. ...(.| 14 00 13 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4...| 34 80 04 08 A0 00 00 00 A0 00 00 00 05 00 00 00 |4...............| 04 00 00 00 03 00 00 00 D4 00 00 00 D4 80 04 08 |................| D4 80 04 08 13 00 00 00 13 00 00 00 04 00 00 00 |................| 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................| 2F 64 65 76 2F 6D 74 64 62 6C 6F 63 6B 30 00 |/dev/mtdblock0..| 2F 64 65 76 2F 6D 74 64 62 6C 6F 63 6B 31 00 |/dev/mtdblock1..| 2F 64 65 76 2F 6D 74 64 62 6C 6F 63 6B 32 00 |/dev/mtdblock2..| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

SYSTEM_LOG // DEV_TTY0

WIPER_ACTIVE

Indicators of Compromise

Actionable threat intelligence feed derived from the AcidRain deployment. Use these artifacts to scan infrastructure for dormant wiper components.

TYPE	INDICATOR	DESCRIPTION
SHA-256	e82d8c39e0bd589f7a93a1cf5536412f11cc5cf065a397c729c1fb297491ffbd	AcidRain primary ELF executable (MIPS)
SHA-256	19c36dfc19bdf01a7000e3da9b5f58ed34b281f6233ba38d6fc5dae7bfa5dbfc	AcidRain variant observed in secondary cluster
IPv4	185.x.x.x (Redacted)	Compromised Skylogic VPN endpoint utilized for initial access
YARA	APT_Wiper_AcidRain_ELF_Mar22	Detects specific device enumeration loops (`/dev/mtdblock`)

Threat Actor Entity Mapping

GRU Unit 74455

State Actor

ALIASES	Sandworm, Voodoo Bear, UAC-0082
ORIGIN	Russian Federation (GRU)

Highly sophisticated military cyber unit. Historic operations include NotPetya (2017), Ukrainian power grid blackouts (Industroyer, 2016), and Olympic Destroyer (2018).

Correlated Campaigns (2022)

JAN

WhisperGate

Wiper masquerading as ransomware (UA Gov).
FEB

HermeticWiper

Deployed pre-invasion on UA financial sector.

Attribution Graph // Force Directed

Threat Actor Malware Target

INTERACTIVE: DRAG NODES

Mitigation and Recovery

Status: Contained // Hardware Replacement Required

The Hardware Problem

Unlike traditional malware that encrypts files for ransom, AcidRain was designed as a pure wiper. It deliberately overwrote the flash memory (`/dev/mtdblock`) of the SurfBeam2 modems.

CRITICAL FAILURE

Modems were rendered completely unbootable ("bricked"). Remote patching was impossible as the devices could no longer connect to the network.

Recovery Protocol Execution

NETWORK SEGMENTATION

Viasat identified the compromised VPN appliance in Turin and immediately severed the management network access to halt further commands.

HARDWARE REPLACEMENT

Due to the physical destruction of flash memory, Viasat was forced to dispatch nearly 30,000 physical replacement modems to customers across Europe.

FIRMWARE HARDENING

Over-the-air (OTA) updates were pushed to uncompromised devices to harden management interfaces against malicious binary execution.