Viasat KA-SAT (AcidRain)
February 2022
Executive Summary
Destructive cyber attack against Viasat's KA-SAT satellite broadband network, timed to coincide with Russia's invasion of Ukraine on 24 February 2022. AcidRain wiper malware bricked tens of thousands of satellite modems across Europe, disrupting Ukrainian military and government communications and causing collateral outages to wind turbines in Germany and broadband users in multiple EU states.
Why This Matters
Viasat KA-SAT was the clearest example yet of cyber attack as an opening act of war, with cross-border collateral damage that forced NATO and the EU to treat satellite infrastructure as a shared security concern.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
VPN appliance exploitation
Attackers exploited a misconfigured VPN appliance in the KA-SAT management network to reach modem provisioning infrastructure.
Mass modem wipe
AcidRain wiper pushed to tens of thousands of SurfBeam2 modems, overwriting flash storage and rendering them permanently inoperable.
Collateral disruption across Europe
Beyond Ukraine, the attack disrupted ~5,800 Enercon wind turbines in Germany and broadband for users in France, Italy, and Central Europe.
Threshold Crossings
- •First confirmed cyber attack synchronized with the opening of a conventional military invasion
- •Cross-border collateral impact on NATO-member critical infrastructure
Restraint Factors
- •Attack targeted communications infrastructure, not life-safety systems
- •Physical satellite constellation was not damaged
Attribution Assessment
Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.
Evidence: Viasat: KA-SAT Network Cyber Attack Overview; SentinelOne: AcidRain — A Modem Wiper Rains Down on Europe
- •EU, UK, and US formal attribution to Russia (May 2022)
- •NATO recognized cyberspace as an operational domain with renewed emphasis
- •Viasat coordinated with NSA and allied agencies on incident response
Sources: EU Council: Declaration on Viasat Cyber Attack Attribution
No dedicated journalistic sources in dataset. See sources section for full references.
“Confirmed” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Destructive
Destruction of data or systems — coercive value through denial, punishment, or deterrence signaling.
Observed coercive effects
- •First confirmed cyber attack synchronized with the opening of a conventional military invasion
- •Cross-border collateral impact on NATO-member critical infrastructure
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Tens of thousands of satellite modems bricked; disruption to Ukrainian military comms and collateral outages across multiple EU states.
Infrastructure Meaning
Malware / tooling
Capability profile
Tens of thousands of satellite modems bricked; disruption to Ukrainian military comms and collateral outages across multiple EU states.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •UN GGE 2015 norm against attacking critical infrastructure
- •International humanitarian law: proportionality and distinction in armed conflict
Policy responses
- •EU, UK, and US formal attribution to Russia (May 2022)
- •NATO recognized cyberspace as an operational domain with renewed emphasis
- •Viasat coordinated with NSA and allied agencies on incident response
Regulatory changes
- •EU NIS2 Directive implementation accelerated, partly citing Viasat as a motivating case
- •Increased focus on satellite and space-system cybersecurity in US National Cyber Strategy (2023)
Governance impact assessment
Demonstrated that cyber operations are now integrated into conventional military campaigns and that collateral effects readily cross borders — reinforcing momentum behind the EU NIS2 Directive and NATO cyber commitments.
Sources
Viasat: KA-SAT Network Cyber Attack Overview
SentinelOne: AcidRain — A Modem Wiper Rains Down on Europe
EU Council: Declaration on Viasat Cyber Attack Attribution
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
NotPetya
June 2017 · Russia
NotPetya demonstrated that a cyber weapon aimed at one country can inflict billions in collateral damage worldwide, making it a landmark case for debating proportionality, state responsibility, and the limits of deniability in cyber conflict.
Kyivstar
December 2023 · Russia
Kyivstar represented the most destructive cyber attack against a telecommunications provider during active conflict, demonstrating ICS-equivalent destructive capability against civilian communication infrastructure and disrupting life-safety warning systems.
Ukraine Grid I
December 2015 · Russia
Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.
Ukraine Grid II
December 2016 · Russia
Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.