The info wiping malware referred to as AcidPour might have been deployed in assaults concentrating on 4 telecom suppliers in Ukraine, new findings from SentinelOne present.
The cybersecurity agency additionally confirmed connections between the malware and AcidRain, tying it to menace exercise clusters related to Russian navy intelligence.
“AcidPour’s expanded capabilities would allow it to raised disable embedded units together with networking, IoT, massive storage (RAIDs), and probably ICS units working Linux x86 distributions,” safety researchers Juan Andres Guerrero-Saade and Tom Hegel stated.
AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable on the onset of the Russo-Ukrainian conflict in early 2022 and cripple Ukraine’s navy communications.
It additionally builds upon the latter’s options, whereas concentrating on Linux techniques working on x86 structure. AcidRain, however, is compiled for MIPS structure.
The place AcidRain was extra generic, AcidPour incorporates logic to focus on embedded units, Storage Space Networks (SANs), Community Connected Storage (NAS) home equipment, and devoted RAID arrays.
That stated, each the strains overlap on the subject of the usage of the reboot calls and the strategy employed for recursive listing wiping. Additionally similar is the IOCTLs-based device-wiping mechanism that additionally shares commonalities with one other malware linked to Sandworm often called VPNFilter.
“One of the vital fascinating features of AcidPour is its coding type, paying homage to the pragmatic CaddyWiper broadly utilized in opposition to Ukrainian targets alongside notable malware like Industroyer 2,” the researchers stated.
The C-based malware comes with a self-delete operate that overwrites itself on disk at the start of its execution, whereas additionally using an alternate wiping method relying on the system kind.
AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is related to Sandworm and has a monitor report of hanging Ukrainian crucial infrastructure.
The Pc Emergency Response Group of Ukraine (CERT-UA), in October 2023, implicated the adversary to assaults concentrating on at the least 11 telecommunication service suppliers within the nation between Might and September of final 12 months.
“[AcidPour] may have been utilized in 2023,” Hegel informed The Hacker Information. “It is probably the actor has made use of AcidRain/AcidPour associated tooling constantly all through the conflict. A spot on this perspective speaks to the extent of perception the general public usually has to cyber intrusions – usually fairly restricted and incomplete.”
The ties to Sandworm are additional bolstered by the truth that a menace actor often called Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated 4 completely different telecommunication operators in Ukraine and disrupted their providers on March 13, 2024, three days previous to the invention of AcidPour.
Solntsepyok, in keeping with the State Particular Communications Service of Ukraine (SSSCIP), is a Russian superior persistent menace (APT) with probably ties to the Essential Directorate of the Normal Workers of the Armed Forces of the Russian Federation (GRU), which additionally operates Sandworm.
It is price mentioning that Solntsepyok has additionally been accused of hacking into Kyivstar’s techniques as early as Might 2023. The breach got here to gentle in late December.
Whereas it is at the moment not clear if AcidPour was used within the newest set of assaults, the invention means that menace actors are always refining their ways to stage harmful assaults and inflict vital operational affect.
“This development reveals not solely a refinement within the technical capabilities of those menace actors but in addition their calculated method to pick out targets that maximize follow-on results, disrupting crucial infrastructure and communications,” the researchers stated.