AcidPour Wiper
A threatening software known as AcidPour has potentially been utilized in attacks aimed at four telecommunications providers in Ukraine. Cybersecurity experts have identified ties between this malware and AcidRain, linking it to threat operations associated with Russian military intelligence. AcidPour boasts enhanced functionalities, making it adept at incapacitating various embedded devices such as networking equipment, Internet of Things (IoT) devices, large storage systems (RAIDs), and potentially Industrial Control Systems (ICS) running on Linux x86 distributions.
Notably, AcidPour is a derivative of AcidRain, a wiper initially employed to sabotage Viasat KA-SAT modems during the early stages of the Russo-Ukrainian conflict in 2022, disrupting Ukraine's military communication networks.
AcidPour Is Equipped with an Expanded Set of Intrusive Capabilities
The AcidPour malware expands upon its predecessor's capabilities by specifically targeting Linux systems operating on x86 architecture. In contrast, AcidRain is tailored for MIPS architecture. While AcidRain was more generic in nature, AcidPour incorporates specialized logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.
Nevertheless, both variants share commonalities in their utilization of reboot calls and recursive directory-wiping methods. They also employ a device-wiping mechanism based on IOCTLs, which bears a resemblance to another malware associated with Sandworm known as VPNFilter.
One intriguing aspect of AcidPour is its coding style, reminiscent of the practical CaddyWiper malware, which has been widely used against Ukrainian targets alongside notable threats like Industroyer2. This C-based malware includes a self-delete function that overwrites itself on disk at the start of execution while also implementing alternative wiping approaches depending on the type of device.
AcidPour Has Been Linked to a Russian-Aligned Hacking Group
AcidPour is believed to have been deployed by a hacking group identified as UAC-0165, which is affiliated with Sandworm and has a history of targeting critical infrastructure in Ukraine.
In October 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated this adversary in attacks against at least 11 telecommunication service providers in the country between May and September of the previous year. AcidPour may have been employed during these attacks, suggesting a consistent use of AcidRain/AcidPour-related tools throughout the conflict.
Further reinforcing the connection to Sandworm, a threat actor known as Solntsepyok (also referred to as Solntsepek or SolntsepekZ) claimed responsibility for infiltrating four Ukrainian telecommunication operators and disrupting their services on March 13, 2024, just three days before the discovery of AcidPour.
According to the State Special Communications Service of Ukraine (SSSCIP), Solntsepyok is a Russian Advanced Persistent Threat (APT) with probable ties to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which oversees Sandworm.
It's worth noting that Solntsepyok was also accused of breaching Kyivstar's systems as early as May 2023, with the breach coming to light in late December of that year.
While it remains uncertain whether AcidPour was utilized in the most recent wave of attacks, its discovery suggests that threat actors are continuously refining their tactics to execute destructive assaults and cause significant operational disruptions.
This evolution not only highlights an enhancement in the technical capabilities of these threat actors but also underscores their strategic approach in selecting targets to amplify the ripple effects, thereby disrupting critical infrastructure and communications.