🗂 Trace Protocol Case File | KA‑SAT Satellite Wiper (AcidRain)
Not a forensic analysis — an educational overview for defenders and researchers.
📌 Case Metadata
📅 Date of Incident: 24 February 2022
🛰 Target: KA-SAT satellite internet network (Viasat)
🏢 Affected Organisations: Viasat, Enercon, multiple European ISPs and customers
💥 Attack Type: Wiper malware (AcidRain) deployed via remote management protocol
⚠️ Impact: Tens of thousands of SurfBeam2 modems permanently disabled; loss of remote control for 5,800 wind turbines in Germany
🌍 Region Affected: Ukraine, Germany, and multiple EU member states
🔎 Primary Suspected Actor: Likely GRU/Sandworm (Unit 74455) — attribution unconfirmed
📂 Related Campaigns: VPNFilter, NotPetya, Industroyer
🔗 Key Protocols Involved: TR-069 remote management, VPN access
📈 Threat Category: Hybrid warfare / critical infrastructure disruption
🎯 What Happened
In the early hours of 24 February 2022, just over an hour before Russia’s ground invasion of Ukraine, satellite internet across large areas of Europe went offline.
This was no random outage.
It was a coordinated cyberattack on Viasat’s KA-SAT satellite network, disabling tens of thousands of SurfBeam2 modems. The disruption impacted both civilian and military communications — including the loss of remote control for 5,800 wind turbines in Germany.
At the heart of the attack: AcidRain, a custom-built piece of malware designed to permanently disable devices by corrupting their flash memory.
🧠 Who’s Behind It
Governments have not officially named the perpetrators.
However, researchers at SentinelLabs discovered strong code similarities between AcidRain and VPNFilter — a malware previously linked to Russia’s military intelligence agency, the GRU, and its Sandworm unit.
The timing of the attack — hitting within hours of the invasion — and its destructive nature fit the pattern of previous GRU campaigns such as NotPetya and Industroyer.
Assessment: There is strong circumstantial evidence pointing to GRU involvement, but without formal attribution the case remains technically open.
🧪 How It Worked
Here’s the step-by-step breakdown in plain language:
Initial Access – The attackers are assessed to have exploited a vulnerable VPN (Virtual Private Network) server at Viasat’s network operations centre in Turin, Italy.
A VPN is a secure “tunnel” for remote access. If poorly configured, it can be an open door to critical systems.
This access point has not been officially confirmed, but is considered the most likely scenario by analysts.
Payload Delivery – Once inside, the attackers used TR-069, a remote device management protocol used by ISPs to configure customer modems.
Think of TR-069 as a master control panel for thousands of devices at once — powerful, but dangerous if misused.
Destruction Trigger – The attackers pushed AcidRain to thousands of SurfBeam2 modems.
AcidRain overwrote key sections of the modem’s flash memory and corrupted its operating system, making recovery impossible.
Service Disruption – By 03:02 UTC, abnormal TR-069 activity spiked and tens of thousands of modems across Europe were dead.
Most had to be physically replaced, leaving some areas offline for weeks.
🌍 Physical-World Impact
The most striking consequence happened far from Ukraine’s frontlines:
Germany’s Enercon Wind Turbines — 5,800 units lost remote monitoring and control.
The turbines continued generating power automatically, but engineers were effectively “flying blind” — unable to send commands, perform updates, or shut them down remotely in an emergency.
This was one of the first clear examples of a satellite-borne cyberattack degrading operational technology (OT) in the physical world.
📸 Forensic Footprint
Investigators found:
A surge in TR-069 provisioning traffic hours before the invasion.
Corruption patterns in the modems’ flash memory similar to those caused by VPNFilter.
A clear match between modem outage locations and the turbine control blackout.
The combination of these signs, plus code similarities with GRU-linked malware, gave analysts high confidence in their assessment — though not formal proof.
🗺 Who’s at Risk
This case shows how many sectors could be vulnerable:
Satellite ISPs and Telecoms – if they push firmware updates without verifying their integrity.
Critical Infrastructure Operators – if they rely on satellite links for monitoring and control without a backup plan.
Device Manufacturers – if they enable remote management protocols like TR-069 without strict security controls.
Governments and NGOs – if they depend on commercial satellite services in regions that could be targeted.
🔧 What to Do Next
1. Harden Remote Access
Secure all VPNs and admin panels. Use multi-factor authentication, rate-limiting, and active monitoring.
2. Require Signed Firmware
Only allow updates that are cryptographically verified to prevent tampering.
3. Restrict or Replace TR-069
If you must use it, isolate it on a segmented network, enforce access controls, and keep logs.
4. Build Recovery Options
Design hardware with fallback modes — dual firmware, secure boot, or physical reset options.
5. Simulate Communications Loss
Run incident response drills that include satellite or network outages, not just ransomware.
6. Coordinate with Vendors
If your service relies on an upstream provider, make sure their security posture matches your needs.
🔍 Known vs Unconfirmed
Known Facts:
TR-069 was used to deliver AcidRain.
AcidRain permanently disabled SurfBeam2 modems.
The attack indirectly affected OT systems (Enercon turbines).
Unconfirmed:
The exact method of initial access (VPN misconfiguration is the leading theory).
Formal attribution to the GRU/Sandworm unit.
🧩 Why This Case Matters
AcidRain wasn’t built to steal or ransom — it was built to destroy.
It was deployed in sync with a military invasion.
In modern conflict:
Control of the sky starts with control of the signal.
🔐 Premium Subscriber Content
Keep reading with a 7-day free trial
Subscribe to Trace Protocol to keep reading this post and get 7 days of free access to the full post archives.