The info wiping malware referred to as AcidPour could have been deployed in assaults focusing on 4 telecom suppliers in Ukraine, new findings from SentinelOne present.
The cybersecurity agency additionally confirmed connections between the malware and AcidRain, tying it to risk exercise clusters related to Russian navy intelligence.
“AcidPour’s expanded capabilities would allow it to higher disable embedded units together with networking, IoT, massive storage (RAIDs), and presumably ICS units working Linux x86 distributions,” safety researchers Juan Andres Guerrero-Saade and Tom Hegel stated.
AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable on the onset of the Russo-Ukrainian battle in early 2022 and cripple Ukraine’s navy communications.
It additionally builds upon the latter’s options, whereas focusing on Linux methods working on x86 structure. AcidRain, alternatively, is compiled for MIPS structure.
The place AcidRain was extra generic, AcidPour incorporates logic to focus on embedded units, Storage Space Networks (SANs), Community Hooked up Storage (NAS) home equipment, and devoted RAID arrays.
That stated, each the strains overlap relating to the usage of the reboot calls and the tactic employed for recursive listing wiping. Additionally an identical is the IOCTLs-based device-wiping mechanism that additionally shares commonalities with one other malware linked to Sandworm generally known as VPNFilter.
“One of the crucial attention-grabbing facets of AcidPour is its coding fashion, paying homage to the pragmatic CaddyWiper broadly utilized in opposition to Ukrainian targets alongside notable malware like Industroyer 2,” the researchers stated.
The C-based malware comes with a self-delete perform that overwrites itself on disk at the start of its execution, whereas additionally using an alternate wiping method relying on the system sort.
AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is related to Sandworm and has a observe report of hanging Ukrainian essential infrastructure.
The Laptop Emergency Response Workforce of Ukraine (CERT-UA), in October 2023, implicated the adversary to assaults focusing on not less than 11 telecommunication service suppliers within the nation between Could and September of final yr.
“[AcidPour] may have been utilized in 2023,” Hegel instructed The Hacker Information. “It is probably the actor has made use of AcidRain/AcidPour associated tooling persistently all through the battle. A spot on this perspective speaks to the extent of perception the general public usually has to cyber intrusions – usually fairly restricted and incomplete.”
The ties to Sandworm are additional bolstered by the truth that a risk actor generally known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated 4 totally different telecommunication operators in Ukraine and disrupted their providers on March 13, 2024, three days previous to the invention of AcidPour.
Solntsepyok, in keeping with the State Particular Communications Service of Ukraine (SSSCIP), is a Russian superior persistent risk (APT) with probably ties to the Principal Directorate of the Basic Workers of the Armed Forces of the Russian Federation (GRU), which additionally operates Sandworm.
It is price mentioning that Solntsepyok has additionally been accused of hacking into Kyivstar’s methods as early as Could 2023. The breach got here to mild in late December.
Whereas it is at present not clear if AcidPour was used within the newest set of assaults, the invention means that risk actors are continuously refining their ways to stage harmful assaults and inflict vital operational affect.
“This development reveals not solely a refinement within the technical capabilities of those risk actors but additionally their calculated method to pick out targets that maximize follow-on results, disrupting essential infrastructure and communications,” the researchers stated.