News
AcidPour - New embedded wiper variant of AcidRain appears in Ukraine
March 2024 by SentinelLabs
On 16th March 2024, SentinelLabs identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since the initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant SentinelLabs researchers refer to as ‘AcidPour’, a wiper with similar and expanded capabilities.
SentinelLabs’ technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded devices, including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.
Following an initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing SentinelLabs’ findings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. Initial findings were reported to partners on Saturday, followed by the public analysis thread on Twitter. SentinelLabs’ analysis is ongoing.
Key findings:
• SentinelLabs has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion.
• The new malware, which SentinelLabs calls AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
• The analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster.
• Specific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since 13th March.
• The ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram.
Conclusion
The discovery of AcidPour in the wild serves as a stark reminder that cyber support for this hot conflict continues to evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so by a variety of means.
The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximise follow-on effects, disrupting critical infrastructure and communications.
SentinelLabs continues to monitor these activities and hopes the broader research community will continue to support this tracking with additional telemetry and analysis.
