threatintel
actor tracker
All briefs

Technical profile: AcidRain (Sandworm, Viasat KA-SAT modem wiper, Feb 24 2022)

Author: Thomas Malinowski Published: 2026-05-18 Status: OSINT synthesis from primary technical reporting Tags: Sandworm, Russia, GRU Unit 74455, AcidRain, Viasat, KA-SAT, MIPS, ELF, wiper, Ukraine, T1485, T1561.002

Summary

AcidRain is a statically-linked MIPS ELF wiper deployed against Viasat KA-SAT satellite modems on 24 February 2022 — approximately one hour before Russian ground forces crossed into Ukraine. Executing on the modems' embedded Linux environment, it systematically erased flash storage and block devices then forced a reboot, rendering modems permanently inoperable ("bricked") and requiring physical replacement. The attack disrupted tens of thousands of terminals across Ukraine and European neighbours. Collateral damage incapacitated approximately 5,800 Enercon wind turbines in Germany whose remote monitoring and control relied on KA-SAT connectivity. SentinelOne researchers Juan Andrés Guerrero-Saade and Max van Amerongen, who named the sample and published the first technical analysis on 31 March 2022, assessed medium confidence of non-trivial developmental similarities between AcidRain and the destructive plugin of VPNFilter — a tool previously attributed by the FBI to Russian government actors — stopping short of a direct Sandworm attribution. In May 2022, the U.S., UK, EU, and allied governments collectively and formally attributed the broader KA-SAT operation to Russian Military Intelligence. The U.S. Department of Justice's October 2020 indictment of GRU Unit 74455 officers provides the standing actor record underpinning that attribution.

Why this sample is worth profiling

Most public wiper analysis covers Windows PE binaries dropped on enterprise endpoints. AcidRain sits outside that frame on almost every axis:

  • Architecture. It targets MIPS, the dominant ISA for consumer and carrier-grade embedded Linux devices. MIPS-targeted offensive tooling is rare enough that it substantially narrows the plausible builder set.
  • Target class. Viasat SurfBeam2 / Surfboard modems run a trimmed embedded Linux. There is no EDR, no Windows event log, no standard enterprise telemetry surface. Defenders who can only think in terms of Windows artefacts have nothing to detect here.
  • Single-shot destructive payload. AcidRain has no C2, no persistence, no lateral movement capability, no exfiltration. It runs, destroys, reboots. The brevity is deliberate: once the management plane delivers it, the outcome is irreversible within seconds and requires no further operator interaction.
  • Management-plane delivery. The wiper did not arrive via a phishing e-mail or a drive-by. Viasat's own incident report confirms it was pushed over the legitimate modem-management network as a management command. This is the satellite-ISP equivalent of a supply-chain attack: compromise the orchestration layer once, issue a single management command, destroy tens of thousands of devices in parallel.
  • Geopolitical timing. The precision of the window — hitting Ukrainian military comms infrastructure in the final hour before ground invasion — makes AcidRain one of the clearest documented examples of a cyber operation coordinated with kinetic warfare planning.

Sample identification

FieldValue
SHA2569b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a
SHA186906b140b019fdedaaba73948d0c8f96a6b1b42
MD5ecbe1b1e30a1f4bffaf1d374014c877f
First seen (VT)2022-03-15 15:08:02 UTC
ELF type32-bit MSB executable
ArchitectureMIPS, MIPS-I version 1 (SYSV)
LinkingStatically linked, stripped
Submission nameukrop (VirusTotal; SentinelOne note it may be shorthand for "Ukraine operation", the Ukrainian Association of Patriots acronym, or a Russian ethnic slur — origin uncertain)

Hashes are taken directly from the SentinelOne March 2022 publication. No on-disk deployment path on KA-SAT modem firmware has been publicly confirmed; no SurfBeam2-specific binary path should be assumed without a primary source.

Static / dynamic analysis

ELF header

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

Key fields of note:

  • EI_CLASS = ELFCLASS32 — 32-bit address space, consistent with the MIPS32 embedded Linux toolchain used in consumer and carrier modem firmware.
  • EI_DATA = ELFDATA2MSB — big-endian byte order, the dominant MIPS variant in networking silicon.
  • Statically linked: the binary carries its own libc. This eliminates any dependency on modem firmware library versions and is a common pattern for cross-compiled embedded payloads that must run on heterogeneous firmware revisions without a dynamic linker on PATH.
  • Stripped: no symbol table. Consistent with a release build intended for deployment rather than debugging.

Device path enumeration

AcidRain iterates over device file identifiers, targeting the full range of storage types present in consumer modem hardware:

/dev/mtdblock0  through  /dev/mtdblock99   (NOR/NAND flash block layer)
/dev/mtd0       through  /dev/mtd99        (raw MTD character devices)
/dev/block/mtdblock*                        (alternative block-layer mount points)
/dev/mmcblk*                               (eMMC / SD card)
/dev/block/mmcblk*
/dev/sd*                                   (generic SCSI block, USB storage)
/dev/loop*                                 (loopback block devices)

The sweep from index 0 to 99 on each prefix ensures the payload does not need prior knowledge of the specific flash partition layout of the target firmware revision. It destroys everything it can open.

MTD ioctl sequence and what it does to flash

For each /dev/mtd* character device (raw MTD, not the block layer), AcidRain issues a sequence of ioctl calls rather than a simple write, because the Linux MTD subsystem requires explicit unlock and erase before a flash block will accept new data:

MEMGETINFO   →  retrieve MTD geometry (erase block size, total size)
MEMUNLOCK    →  remove write-protection on the target erase region
MEMERASE     →  issue the hardware erase command, resetting cells to 0xFF
MEMWRITEOOB  →  write out-of-band (spare) area, destroying ECC metadata

The MEMERASE ioctl is architecturally significant: it does not merely overwrite bytes, it triggers the flash controller to electrically erase each block, resetting NAND cells to the erased state. Without a subsequent write of valid firmware, the device has no bootable code and cannot recover without physical reflashing — which is not a field operation for a consumer satellite modem.

For block devices (mtdblock, mmcblk, sd), AcidRain performs a direct overwrite of up to 0x40000 bytes using a buffer populated with an array of 4-byte integers starting at 0xffffffff and decrementing at each index — a pattern chosen to flip as many bits as possible and resist low-cost forensic recovery.

Filesystem wiper

In addition to targeting device files, AcidRain performs a recursive wipe of the filesystem: it enumerates non-standard directories and deletes files. SentinelOne describe this as "an in-depth recursive overwrite and delete of non-standard files in the filesystem." The wiper is purely destructive — no data is read, staged, or transmitted at any point. There is no ransomware note, no C2 checkin, no beaconing. It is a denial-of-availability tool, nothing else.

Reboot

After the storage destruction loop, AcidRain issues redundant reboot attempts via multiple syscalls. The SentinelOne analysis documents this as "redundant attempts to reboot the device" but does not enumerate specific syscall numbers. The effect is to force the modem to attempt a cold boot against now-destroyed flash — from which it cannot recover.

VPNFilter code overlap (cited)

SentinelOne identified three specific overlaps with the VPNFilter stage-3 destructive plugin (dstr):

  1. Identical Section Headers String Tables between the two binaries.
  2. Both binaries use the MEMGETINFO, MEMUNLOCK, and MEMERASE ioctls to erase MTD devices.
  3. A quirk in which the binary stores the previous syscall number to a global location before issuing a new syscall — an unusual implementation detail.

SentinelOne's language is explicitly hedged: "medium-confidence assessment of non-trivial developmental similarities." They note the FBI attributed VPNFilter to the Russian government in 2018 but do not directly assert that AcidRain is Sandworm tooling. BlackEnergy is not discussed in the SentinelOne analysis.

Operational picture

How the wiper reached the modems

Viasat's incident report (30 March 2022) identified the initial access vector as exploitation of a misconfigured VPN appliance that provided access to the KA-SAT modem management network — the trusted segment from which the provider issues firmware updates and management commands to the field modem estate. From that segment, the attackers issued legitimate, targeted management commands that caused the wiper to execute on modems. Viasat described this as the malware being "run on the modems using a legitimate management command."

SentinelOne's characterisation: the attackers "used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers." The word "supply-chain" here refers to the trusted-orchestration-plane pattern rather than a software-build compromise — the adversary inherited the same authority over the modem fleet that Viasat's own NOC holds.

The precise initial-access technique used to reach the VPN appliance, and whether that involved credential theft, a vulnerability exploit, or an insider position, has not been publicly confirmed. Viasat's published report names the misconfigured VPN as the pivot point but does not detail how that appliance was first compromised.

Enercon wind-turbine collateral

Approximately 5,800 Enercon wind turbines in Germany relied on KA-SAT connectivity for remote monitoring and control of their SCADA systems. When the KA-SAT modem estate was bricked, those turbines lost satellite uplink and became unmanageable from remote operations centres. The turbines themselves were not directly targeted; the disruption was a collateral effect of the modem estate destruction. The UK government's attribution statement noted the attack "caused outages for several thousand Ukrainian customers, and impacted windfarms and internet users in central Europe." The Enercon figure of approximately 5,800 turbines comes from SentinelOne's published analysis.

Timing and strategic context

The UK NCSC assessed it was "almost certain" that Russia was responsible, and multiple governments noted the attack began approximately one hour before the ground invasion. The UK FCO, EU, and U.S. State Department issued a joint attribution statement on 10 May 2022 attributing the operation to Russian Military Intelligence. The primary target is assessed to have been Ukrainian military communications infrastructure reliant on KA-SAT connectivity — the civilian and European collateral was a side effect of the breadth of the managed modem estate.

Detection / hunting

AcidRain will never appear in a Windows EDR console. The defensive surface is entirely different.

Network-side indicators (modem fleet operators)

  • Anomalous bulk management-plane traffic. A legitimate modem management system sends targeted commands — firmware updates to specific model cohorts, configuration pushes scoped to a region. A command that fans out identically to every modem in the estate simultaneously, outside a scheduled maintenance window, is operationally abnormal and worth alerting on.
  • Access to the management segment from non-NOC source IPs. The attacker pivoted through a misconfigured VPN appliance. Management-plane access should be scoped to a small, known set of NOC egress addresses. Anything else warrants immediate triage.
  • Modem mass-offline events. A fleet of modems going dark in a tight time window — particularly if geographically clustered or correlated with a management command burst — is the post-exploitation signal. Alerting on rapid offline-rate anomalies is a cheap last-resort detection.

Host-side indicators (if modem firmware telemetry is available)

  • MEMERASE ioctl calls against production flash partitions outside a firmware update context. Legitimate update agents call MEMERASE on specific partitions with known geometry; an unconstrained sweep over mtdblock0–mtdblock99 has no legitimate operational analogue.
  • Unexpected cold reboot returning the modem to factory-default or no-boot state. If modem fleet management logs last-seen states and receives a reboot event with no subsequent successful registration, that modem should be flagged for out-of-band investigation.

Generalisation to other embedded / IoT fleets

The AcidRain playbook applies to any fleet that shares these properties: embedded Linux on MIPS or ARM, a centralised management orchestration layer, and management commands that can issue destructive device operations. Industrial control system vendors, satellite ISPs, cellular small-cell operators, and managed CPE providers all operate estates with this profile. The specific defensive lever is hardening the management plane: MFA on NOC access, strict egress controls on the management segment, an explicit allow-list of source addresses for management commands, and rate-limiting or human-approval gates on bulk commands that would touch the entire managed estate simultaneously.

YARA candidate

// candidate — research quality; production deployment requires validation
// against representative modem firmware and tuning for FP rate.
// Matches on the publicly-confirmed SHA256 and the MTD ioctl sequence
// described in SentinelOne's March 2022 analysis. Do not deploy as-is
// against general ELF corpora without confirming string offsets on the
// actual sample.

rule apt_acidrain_mips_wiper_candidate {
    meta:
        description = "AcidRain MIPS wiper - Viasat KA-SAT incident Feb 2022"
        author      = "Thomas Malinowski"
        date        = "2026-05-18"
        hash_sha256 = "9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a"
        reference   = "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"
        status      = "candidate"

    strings:
        // MTD device path prefix - present in device enumeration loop
        $mtd_path  = "/dev/mtdblock" ascii

        // Alternative MTD block-layer path
        $mtd_block = "/dev/block/mtdblock" ascii

        // eMMC/SD path prefix
        $mmc_path  = "/dev/mmcblk" ascii

        // Raw MTD character device prefix
        $mtd_raw   = "/dev/mtd" ascii

    condition:
        uint32(0) == 0x7f454c46       // ELF magic
        and uint8(4) == 1             // EI_CLASS = ELFCLASS32
        and uint8(5) == 2             // EI_DATA = ELFDATA2MSB (big-endian)
        and uint16(18) == 8           // e_machine = EM_MIPS
        and 3 of ($mtd_path, $mtd_block, $mmc_path, $mtd_raw)
}

Caveats: The ioctl numeric constants (MEMGETINFO, MEMUNLOCK, MEMERASE) are embedded in compiled code rather than as ASCII strings, so they are not reliable YARA string anchors without extracting the exact byte sequences from a disassembly of the confirmed sample. The string-based condition above is grounded in device paths confirmed by SentinelOne. The hash can be used as an exact-match indicator independently of the rule logic.

Limitations and open questions

  1. Initial access into the Viasat VPN appliance is not publicly confirmed. Viasat's incident report names the misconfigured VPN as the pivot point but does not identify the vulnerability or technique used to compromise it. Whether this involved a known CVE, credential stuffing, a supply-chain compromise of the VPN vendor, or something else remains unconfirmed in public reporting.

  2. The AcidRain-to-Sandworm attribution chain is inferential. The formal government attributions (U.S., UK, EU, May 2022) attribute the KA-SAT operation to Russian Military Intelligence but do not explicitly name GRU Unit 74455 in their published statements. The Sandworm label is carried by the VPNFilter-to-Sandworm chain and the DOJ 2020 indictment, not by a direct technical link from AcidRain to previously-attributed Sandworm tooling. SentinelOne's own language holds at medium confidence.

  3. The exact number of permanently bricked modems is not publicly confirmed. The UK government said "tens of thousands of terminals have been damaged, made inoperable and cannot be repaired." No authoritative figure for total destroyed units has been published by Viasat or a government source.

  4. Whether the same toolchain was reused in later operations is unknown. No subsequent public reporting has identified AcidRain or a close variant deployed in a second campaign. The VPNFilter dstr plugin overlap suggests a shared development heritage but does not imply active reuse after Feb 2022.

  5. Modem firmware internals are not publicly available. The SentinelOne analysis is performed on the binary itself, without access to the SurfBeam2 firmware source or a known-good baseline image. This limits the ability to confirm exactly which partitions the MTD sweep would destroy on a real device.

References