Researchers have uncovered a extra harmful and prolific model of the wiper malware utilized by Russian navy intelligence to disrupt satellite tv for pc broadband service in Ukraine simply previous to Russia’s invasion of the nation in February 2022.
The brand new variant, “AcidPour,” bears a number of similarities with its predecessor however is compiled for X86 structure, not like AcidRain which focused MIPS-based methods. The brand new wiper additionally contains options for its use in opposition to a considerably broader vary of targets than AcidRain, in accordance with researchers at SentinelOne who found the risk.
Wider Damaging Capabilities
“AcidPour’s expanded damaging capabilities embody Linux Unsorted Block Picture (UBI) and System Mapper (DM) logic, which impacts handhelds, IoT, networking, or, in some circumstances, ICS gadgets,” says Tom Hegel, senior risk researcher at SentinelOne. “Units like storage space networks (SANs), community connected storage (NAS), and devoted RAID arrays are additionally now in scope for AcidPour’s results.”
One other new functionality of AcidPour is a self-delete perform that erases all traces of the malware from methods it infects, Hegel says. AcidPour is a comparatively extra refined wiper general than AcidRain, he says, pointing to the latter’s extreme use of course of forking and unwarranted repetition of sure operations as examples of its general sloppiness.
SentinelOne found AcidRain in February 2022 following a cyberattack that knocked offline some 10,000 satellite tv for pc modems related to communications supplier Viasat’s KA-SAT community. The assault disrupted shopper broadband service for 1000’s of shoppers in Ukraine, and to tens of 1000’s of individuals in Europe. SentinelOne concluded that the malware was seemingly the work of a gaggle related to Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation chargeable for quite a few disruptive cyberattacks in Ukraine.
SentinelOne researchers first noticed the brand new variant, AcidPour, on March 16 however haven’t noticed anybody utilizing it in an precise assault but.
Sandworm Ties
Their preliminary evaluation of the wiper revealed a number of similarities with AcidRain — which a subsequent deeper dive then confirmed. The notable overlaps that SentinelOne found included AcidPour’s use of the identical reboot mechanism as AcidRain, and an identical logic for recursive directory-wiping.
SentinelOne additionally discovered AcidPour’s IOCTL-based wiping mechanism to be the identical because the wiping mechanism in AcidRain and in VPNFilter, a modular assault platform that the US Division of Justice has linked to Sandworm. IOCTL is a mechanism for securely erasing or wiping knowledge from storage gadgets by sending particular instructions to the machine.
“One of the attention-grabbing points of AcidPour is its coding type, harking back to the pragmatic CaddyWiper broadly utilized in opposition to Ukrainian targets alongside notable malware like Industroyer 2,” SentinelOne stated. Each CaddyWiper and Industroyer 2 are malware utilized by Russia-backed state teams in damaging assaults on organizations in Ukraine, even earlier than Russia’s February 2022 invasion of the nation.
Ukraine’s CERT has analyzed AcidPour and attributed to UAC-0165, a risk actor that’s a part of the Sandworm group, SentinelOne stated.
AcidPour and AcidRain are amongst quite a few wipers that Russian actors have deployed in opposition to Ukrainian targets lately —and significantly after the onset of the present battle between the 2 nations. Regardless that the risk actor managed to knock 1000’s of modems offline within the Viasat assault, the corporate was in a position to get well and redeploy them after eradicating the malware.
In lots of different cases, although, organizations have been pressured to discard methods following a wiper assault. One of the notable examples is the 2012 Shamoon wiper assault on Saudi Aramco that crippled some 30,000 methods on the firm.
As was the case with Shamoon and AcidRain, risk actors sometimes haven’t wanted to make wipers refined to be efficient. That is as a result of the one perform of the malware is to overwrite or delete knowledge from methods and render them ineffective, so evasive ways and obfuscation strategies related to knowledge theft and cyber espionage assaults aren’t needed.
One of the best protection for wipers — or to restrict harm from them — is to implement the identical form of defenses as for ransomware. Meaning having backups in place for vital knowledge and guaranteeing sturdy incident response plans and capabilities.
Community segmentation can be key as a result of wipers are more practical when they’re able to unfold to different methods, in order that kind of protection posture helps thwart lateral motion.