Recent revelations from SentinelOne indicate that the malicious program known as AcidPour, specializing in data erasure, could have been leveraged in assaults aimed at four telecommunications entities within Ukraine.
Moreover, the cybersecurity company has established ties between this malware strain and AcidRain, thus implicating it in operations affiliated with Russian military intelligence.
Security analysts Juan Andres Guerrero-Saade and Tom Hegel have highlighted AcidPour’s augmented functionalities, which facilitate the incapacitation of embedded systems such as networking infrastructures, Internet of Things (IoT) devices, extensive storage units (RAIDs), and conceivably Industrial Control Systems (ICS) employing Linux x86 distributions.
AcidPour represents a derivative of AcidRain, a wiping tool initially deployed to incapacitate Viasat KA-SAT modems during the commencement of the Russo-Ukrainian conflict in early 2022, thereby disrupting Ukraine’s military communication channels.
In terms of cybersecurity implications, AcidPour exhibits advancements over its predecessor, specifically targeting Linux-based systems operating on the x86 architecture, whereas AcidRain was tailored for MIPS architecture.
While AcidRain possessed a more generalized approach, AcidPour integrates tailored logic to infiltrate embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.
Nevertheless, both strains converge in their utilization of reboot commands and recursive directory erasure techniques. Additionally, they share a commonality in their device-wiping methodology based on IOCTLs, which bears resemblance to another malware variant associated with Sandworm, namely VPNFilter.
The researchers have underscored AcidPour’s coding style, reminiscent of CaddyWiper, a C-based malware frequently deployed against Ukrainian targets alongside notorious threats like Industroyer 2.
Notably, AcidPour features a self-deletion mechanism that obliterates its presence on disk at the outset of execution, coupled with an alternative erasure strategy contingent upon the type of device encountered.
Attribution of AcidPour points to a hacking faction identified as UAC-0165, affiliated with Sandworm and renowned for targeting critical Ukrainian infrastructure.
In October 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated this adversary in attacks directed at no fewer than 11 telecommunications service providers within the nation between May and September of the previous year.
Tom Hegel, in dialogue with The Hacker News, speculated on the potential utilization of AcidPour in 2023, suggesting a persistent reliance on AcidRain/AcidPour-related tools throughout the conflict. This observation underscores the limited understanding often afforded to public audiences regarding cyber intrusions.
The linkage to Sandworm gains further credibility with reports of a threat actor identified as Solntsepyok claiming responsibility for infiltrating four distinct Ukrainian telecommunications operators and disrupting their services on March 13, 2024, just days before the unearthing of AcidPour.
According to the State Special Communications Service of Ukraine (SSSCIP), Solntsepyok represents a Russian Advanced Persistent Threat (APT) group with probable connections to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which oversees Sandworm operations.
It is pertinent to note that Solntsepyok stands accused of breaching Kyivstar’s systems as early as May 2023, with the incident only coming to light toward the end of the year.
While the involvement of AcidPour in the recent wave of attacks remains speculative, its discovery underscores the evolving strategies employed by threat actors to orchestrate debilitating offensives and cause significant operational disruptions.
The evolving landscape reveals not only advancements in the technical proficiency of these adversaries but also their calculated targeting of entities likely to yield cascading repercussions, thereby disrupting critical infrastructure and communication networks.
