The data-wiping malware is named Acidity New findings from SentinelOne show it may have been deployed in attacks against four telecommunications providers in Ukraine.
The cybersecurity firm also confirmed a link between the malware and AcidRain, linking it to a cluster of threat activity linked to Russian military intelligence.
Security researchers Juan Andres Guerrero-Saade and Tom Hegel said: “The expanded functionality of AcidPour will allow it to better disable embedded devices, including networking, IoT, large storage (RAID), and potentially running Linux x86 distributions. version of ICS devices.”
AcidPour is a variant of AcidRain, a wiper used to keep Viasat KA-SAT modems functioning and cripple Ukrainian military communications when the Russia-Ukraine war broke out in early 2022.
It also builds on the functionality of the latter while targeting Linux systems running on the x86 architecture. AcidRain, on the other hand, is compiled for the MIPS architecture.
AcidRain is more general-purpose, while AcidPour combines logic for embedded devices, storage area networks (SANs), network-attached storage (NAS) devices and specialized RAID arrays.
That said, the two strains overlap when it comes to the use of restart calls and the approach taken by recursive directory wipes. Also identical is the IOCTL-based device wipe mechanism, which is also shared with another piece of malware related to Sandworm called VPNFilter.
“One of the most interesting aspects of AcidPour is its coding style, which is reminiscent of well-known malware such as CaddyWiper, a utility widely used against Ukrainian targets, and Industroyer 2,” the researchers said.
This C-based malware is self-deleting, overwriting itself on the disk at the beginning of execution, and also employing alternative erasure methods depending on the device type.
AcidPour has been attributed to a hacker group tracked as UAC-0165, which is associated with Sandworm and has a track record of attacking critical infrastructure in Ukraine.
Ukraine’s Computer Emergency Response Team (CERT-UA) said in October 2023 that attackers targeted at least 11 telecommunications service providers in the country between May and September last year.
“[AcidPour] Probably in 2023,” Hegel told The Hacker News. “The actors likely continued to use AcidRain/AcidPour-related tools throughout the war. This gap in opinion illustrates the extent of the public’s understanding of cyber intrusions – which is often quite limited and incomplete.”
A threat actor named Solntsepyok (aka Solntsepek or SolntsepekZ) claims to have infiltrated four different Ukrainian telecom operators and disrupted their services on March 13, 2024, three days before the vulnerability was discovered. , a fact that further strengthens the connection with Sandworm. Acid dump.
According to Ukraine’s State Special Communications Service (SSSCIP), Solntsepyok is a Russian advanced persistent threat (APT) that may have links to the General Staff of the Armed Forces of the Russian Federation (GRU), which is also responsible for operating Sandworm.
It is worth pointing out that Solntsepyok was accused of hacking into Kyivstar’s system as early as May 2023. The vulnerability came to light in late December.
While it is unclear whether AcidPour was used in the latest series of attacks, the discovery demonstrates that threat actors are continuing to refine their tactics to launch destructive attacks with significant operational impact.
“This development reveals not only improvements in the technical capabilities of these threat actors, but also their methods of carefully selecting targets to maximize subsequent impact and disrupt critical infrastructure and communications,” the researchers said.
