Viasat KA-SAT AcidRain wiper

At approximately 04:45 UTC on 24 February 2022 — one hour before Russian forces began the full-scale invasion of Ukraine — operators from Sandworm (Russian GRU Unit 74455) deployed a previously-unseen wiper called AcidRain against the management infrastructure of Viasat's KA-SAT satellite network. The wiper bricked approximately 30,000 satellite modems across Europe, including:

• Ukrainian military command-and-control terminals dependent on KA-SAT for forward communications.
• ~5,800 German wind turbines operated by Enercon that used KA-SAT for remote monitoring.
• Civilian satellite-broadband subscribers across France, Italy, Poland, and other European countries dependent on KA-SAT for rural connectivity.

The attack was, in operational design, the opening salvo of the war's cyber component — a deliberate degradation of Ukrainian military communications timed to the invasion.

What happened

Sandworm operators had pre-positioned access to Skylogic, the Viasat ground-segment operator headquartered in Turin, Italy, that ran KA-SAT's management infrastructure. The initial access vector was a misconfigured VPN appliance with weak authentication.

At 23:00 UTC on 23 February 2022, operators authenticated to the Skylogic management network. Over the next several hours they:

• Pivoted to the modem-management subsystem responsible for pushing firmware updates and configuration to subscriber modems.
• Staged the AcidRain wiper payload.

At 04:45 UTC on 24 February, AcidRain was deployed via the modem management plane. The wiper:

• Iterated over every block device on the modem firmware: serial flash, RAM, eMMC.
• Overwrote critical regions of the modem firmware with zeros or random data.
• Issued a reboot command, ensuring the modem would attempt to boot from the now-corrupted firmware and fail.

The result was permanent hardware bricking — the affected modems were not recoverable via firmware reflash because the bootloader and recovery partition had been wiped. Physical replacement of every affected modem was the only remediation.

Impact

• ~30,000 SATCOM modems bricked across Europe, requiring physical replacement.
• Ukrainian military command-and-control degradation at the moment of invasion. Public reporting from Ukrainian officials acknowledged that forward units lost their primary command channel for the first hours of the war. Backup channels (LTE, fiber where present, terrestrial radio) were used; KA-SAT itself was not restored for weeks.
• 5,800 Enercon wind turbines in Germany lost remote monitoring. Turbines continued generating power but Enercon could not perform remote maintenance, troubleshooting, or emergency response. The "loss of monitoring" was a safety degradation rather than an outage.
• Tens of thousands of European civilian subscribers lost satellite broadband connectivity, in many cases for weeks while replacement modems were shipped.
• Total direct cost to Viasat: ~$100 million in modem replacements, customer service, and remediation.

Attribution

On 10 May 2022, the EU, U.K., U.S., Canada, Australia, New Zealand, and Estonia jointly attributed the KA-SAT attack to the Russian government, citing intelligence and forensic evidence. The attribution placed it within the Sandworm / GRU Unit 74455 operational lineage that includes NotPetya (2017), the PyeongChang 2018 destructor, and the Ukrainian electric grid attacks of 2015 and 2016.

No specific individual was named for the KA-SAT attack beyond the broader Sandworm Six indictment of October 2020. The same unit's continued operations against Ukrainian critical infrastructure throughout the 2022 invasion — Industroyer2 against the Ukrainian power grid, persistent wiper campaigns against Ukrainian government networks — are operationally continuous with the KA-SAT operation.

Why it matters

Viasat / KA-SAT is the canonical case for cyber as the opening of kinetic conflict. It established:

• That state actors can pre-position in commercial communications infrastructure for use at moments of strategic timing. The Skylogic access was not detected and was operationally weaponised at the exact moment of military value.
• That wiper firmware attacks against IoT-class endpoints (satellite modems, in this case; but also smart-home devices, industrial controllers, vehicle telematics) are a category of irreversible damage distinct from data-loss or ransomware. The 30,000 affected modems were physical replacements, not software recovery.
• That commercial satellite networks are dual-use infrastructure carrying both military and civilian traffic. A targeted operation against military users via the management plane caused civilian collateral damage on a continental scale.
• That forward attribution to a Western government action can be issued quickly when the operation aligns with the obvious geopolitical context. The May 2022 attribution was less than three months after the event — fast by historical standards.

KA-SAT is now studied in every doctrine document on the integration of cyber and conventional military operations. The Ukrainian military's subsequent rapid pivot to Starlink for forward communications — facilitated by Elon Musk's offer of terminals — is the most-visible operational lesson from the incident.