Tens of thousands of Viasat satellite broadband modems disabled in a cyber-attack some weeks ago were wiped by malware with possible links to Russia’s destructive VPNFilter, according to SentinelOne.

On February 24, as Russian troops invaded Ukraine, Viasat terminals in Europe and Ukraine were suddenly and unexpectedly knocked offline and rendered inoperable. This caused, among other things, thousands of wind turbines in Germany to lose satellite internet connectivity needed for remote monitoring and control.

Earlier this week, Viasat provided some details about the outage: it blamed a poorly configured VPN appliance, which allowed a miscreant to access a trusted management segment of Viasat’s KA-SAT satellite network.

The broadband provider said this intruder then explored its internal network until they were able to instruct subscribers’ modems to overwrite their flash storage, requiring a factory reset to restore the equipment. We were told:

How exactly these modems had their memory overwritten wasn’t said. According to the research arm of SentinelOne, though, it may have been wiper malware deployed to the devices as a malicious firmware update from Viasat’s compromised backend. This conclusion was based on a suspicious-looking MIPS ELF binary named “ukrop” that was uploaded to VirusTotal on March 15.

“Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident,” SentinelOne’s Juan Andres Guerrero-Saade and Max van Amerongen wrote on Thursday.

After analyzing Viasat’s “somewhat plausible but incomplete” explanation of the cyber-attack, the two researchers came up with this hypothesis:

The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it ino