Infosec Watchtower Logo

Unveiling AcidPour: A New Cyberthreat Targeting Telecoms in Ukraine with Ties to Russian Intelligence

Charles M. Walls | March 22 | Views: 205

A digital illustration that vividly represents the concept of cyber warfare and data destruction. The image should depict a sleek, menacing virus symbol.

Recent revelations from SentinelOne spotlight the emergence of a potent data-erasing software, AcidPour, which has reportedly targeted four Ukrainian telecom operators. This alarming development underlines the software's affiliations with AcidRain, another notorious malware, and their collective ties to cyber activities linked to Russian military intelligence's operations.

Experts at SentinelOne, Juan Andres Guerrero-Saade and Tom Hegel, highlight that AcidPour extends its destructive reach beyond previous limitations. This malware exhibits enhanced abilities to incapacitate a variety of devices, including those integral to networking, the Internet of Things (IoT), substantial storage systems like RAIDs, and potentially Industrial Control Systems (ICS) that utilize Linux x86 platforms.

Rooted in the lineage of AcidRain, a malware that significantly disrupted Ukraine's military communication by targeting Viasat KA-SAT modems at the start of the conflict in Ukraine in early 2022, AcidPour advances its predecessor's functionalities. While AcidRain was engineered for MIPS architecture, AcidPour specifically preys on Linux systems powered by x86 architecture.

AcidPour distinguishes itself by honing in on embedded systems, SANs, NAS appliances, and RAID arrays, refining its targeting scope compared to the broader approach of AcidRain. Despite their distinctions, both malware strains share methodologies in executing reboot commands and recursively erasing directories. Their device-wiping tactics, leveraging IOCTLs, resonate with those seen in VPNFilter malware, associated with the Sandworm group.

The coding finesse of AcidPour, reminiscent of CaddyWiper's practical approach—another malware infamously deployed against Ukrainian entities—underscores the sophistication of this threat. It boasts a self-erasure feature that activates upon execution and varies its wiping method based on the targeted device's type.

Attribution of AcidPour points to UAC-0165, a hacking collective linked with Sandworm, notorious for attacking Ukraine's critical infrastructure. The Ukraine Computer Emergency Response Team (CERT-UA) disclosed that this group had targeted at least 11 telecom service providers from May to September of the previous year.

Tom Hegel of SentinelOne suggests that AcidPour's deployment in 2023 aligns with the ongoing utilization of AcidRain and its derivatives throughout the conflict, revealing the opaque and fragmented nature of public insight into cyber intrusions.

This narrative gains complexity with the involvement of Solntsepyok, a threat actor implicated in disrupting services of four Ukrainian telecom operators on March 13, 2024, mere days before AcidPour's detection. With probable connections to the GRU and operational similarities to Sandworm, Solntsepyok's activities, including a breach into Kyivstar's network in May 2023, underscore a continuous evolution in cyber warfare tactics aimed at debilitating critical infrastructures and communication systems.

The unveiling of AcidPour not only sheds light on the escalating cyber threat landscape but also emphasizes the strategic, targeted assaults designed to maximize disruption and the broader implications on national security and infrastructure resilience.

Source of Inspiration