Skip to content Skip to footer

AcidPour Malware Linked to Russian Military Intelligence Targeting Ukrainian Telecom Providers

The threat of on critical infrastructure is ever-present, and a new report from cybersecurity firm SentinelOne shows that a data-wiping malware called AcidPour has been deployed in attacks targeting four telecom providers in Ukraine. The malware has been found to have connections with AcidRain, which has been tied to threat activity clusters associated with military intelligence.

According to security researchers Juan Andres Guerrero-Saade and Tom Hegel, AcidPour's expanded capabilities would enable it to disable embedded devices, networking, IoT, ample storage (RAIDs), and possibly ICS devices running Linux x86 distributions. The malware is a variant of AcidRain, which was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine's military communications.

While AcidRain was more generic, AcidPour incorporates logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays. Both strains have similar features, such as reboot calls and the method employed for recursive directory wiping. Also identical is the IOCTLs-based device-wiping mechanism, which shares commonalities with another malware linked to Sandworm, VPNFilter.

The researchers have noted that one of the most exciting aspects of AcidPour is its style, reminiscent of the pragmatic CaddyWiper. This malware has been broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2. The C-based malware comes with a self-delete function that overwrites itself on disk at the beginning of its execution while employing an alternate wiping approach depending on the device type.

AcidPour has been attributed to a crew tracked as UAC-0165. This crew is associated with Sandworm and has a track record of striking Ukrainian critical infrastructure. The Computer Emergency Response Team of Ukraine (CERT-UA) implicated the adversary in attacks targeting at least 11 telecommunication service providers in the country between May and September last year.

In October 2023, the State Special Communications Service of Ukraine (SCIP) discovered that a known as Solntsepyok (aka Solntsepek or SolntsepekZ) had infiltrated four different telecommunication operators in Ukraine and disrupted their services on March 13, 2024, three days before the discovery of AcidPour. Solntsepyok is a advanced persistent threat () with likely ties to the Main Directorate of the General Staff of the Armed Forces of the Federation (GRU), which also operates Sandworm.

It's worth noting that Solntsepyok has also been accused of into Kyivstar's systems as early as May 2023. The breach came to light in late December. The ties to Sandworm are further bolstered by the fact that a known as Solntsepyok claimed to have infiltrated four different telecommunication operators in Ukraine and disrupted their services on March 13, 2024, three days before the discovery of AcidPour.

The development of AcidPour and similar malware underscores the need for continued vigilance and efforts to combat cyber threats targeting critical infrastructure. Organizations must take the necessary steps to secure their networks and devices against these malicious attacks.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Dade: What is it with this guy?
- Phreak: His parents missed Woodstock, and he's been making up for it since.
Dade & Phreak

Deitasoft © 2024. All Rights Reserved.