Advanced malware AcidPour disrupts Ukrainian telecoms amid Russian invasion
In newly conducted research by SentinelLabs, AcidPour, an advanced wiper malware, builds upon the capabilities of AcidRain and proves more destructive in potential. AcidPour's discovery happened amidst the ongoing disruption of several Ukrainian telecommunication networks, though its specific targets have yet to be clearly identified.
AcidRain, during the Russian invasion of Ukraine, resulted in Eutelsat KA-SAT modems being rendered unresponsive and further disturbances throughout Europe. SentinelLabs' examination confirms a connection between AcidRain and AcidPour, linking the newly discovered malware to risk groups previously publicly ascribed to Russian military intelligence. The Ukrainian Computer Emergency Response Team (CERT-UA) has additionally attributed this activity to a subgroup within Sandworm.
On 16 March 2024, SentinelLabs detected a doubtful Linux binary uploaded from Ukraine. Initial appraisals revealed striking resemblances to the notorious AcidRain wiper, known to debilitate KA-SAT modems throughout Europe at the commencement of the Russian invasion of Ukraine. Since this preliminary unearthing, no other similar samples or variants have been reported. SentinelLabs researchers confirmed that this newly identified sample is an AcidPour variant with the ability to extend its damaging reach.
According to SentinelLabs' technical inference, AcidPour's enhanced abilities could better disable embedded devices, such as networking, Internet of Things (IoT), large storage (RAIDs), and potentially Industrial Control Systems (ICS) devices functioning on Linux x86 distributions. Upon initial reporting on Twitter, CyberScoop reported a claim by the Ukrainian SSCIP that attributes SentinelLabs' revelations to UAC-0165, considered a subgroup within the outdated 'Sandworm' threat actor construction. SentinelLabs' analysis is ongoing.
Key discoveries include the finding of a new AcidRain malware variant, named AcidPour, that SentinelLabs now confirms extends the malicious capabilities of AcidRain. It has been designed to target Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, effectively focusing on RAID arrays and large storage apparatus. The research analysis validates the connection between AcidRain and AcidPour and links it effectively to threats formerly attributed to Russian military intelligence by the public.
The detailed targets of AcidPour have yet to be definitively confirmed. However, its discovery parallels the sustained disruption of numerous Ukrainian telecommunication networks, which have been reportedly offline since 13 March. A GRU-operated hacktivist persona publicly claims the Internet Service Provider (ISP) attacks via Telegram.
The unveiling of AcidPour reminds us that the cyber supporting this ongoing conflict continues to evolve, even two years after the emergence of AcidRain. The cyber culprits are proficient in orchestrating far-flung disruptions and have persistently demonstrated their unflinching intention to do so by any means necessary. With its broader capabilities, the progression from AcidRain to AcidPour highlights the tactical intent to inflict a substantial operational impact. It reveals not just an improvement in the technical capabilities of these malefactors but also their carefully chosen targets aimed at maximising subsequent effects, disturbing crucial infrastructure and communication.
SentinelLabs remains vigilant, continually monitoring these activities, in the hope that the broader research community will continue to support this tracking with enhanced telemetry and analysis.