Russian Hackers May Have Attacked Ukrainian Telecom Providers Using Up-To-Date AcidPour Malware

According to new SentinelOne research, “AcidPour, a data-wiping virus, may have been used in assaults against four Ukrainian telecom operators.”

The cybersecurity company also validated links between the malware and AcidRain. And linked it to threat activity clusters that were already connected with Russian military intelligence.

The security experts Juan Andres Guerrero-Saade and Tom Hegel claimed, "AcidPour's expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions."

AcidPour is a variation of AcidRain. It is also known as a wiper that was used to make Viasat KA-SAT modems. These modems were operational at the start of the Russo-Ukrainian conflict in early 2022,  breaking Ukraine's military communications.

It also enhances the latter's functionality. In the meantime,  it focuses on Linux computers with x86 architecture. AcidRain, on the other hand, is built for the MIPS architecture.

Whereas AcidRain was more general. Simply put,  AcidPour includes logic that targets embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and specialized RAID arrays.

Both strains overlap in terms of the utilization of reboot calls. And along with the procedure for repetitive directory wiping. The IOCTLs-based device wiping process is likewise the same. Besides, it bears similarities with VPNFilter, another Sandworm-related virus.

The authors of the study stated, "One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2."

The C-based virus includes a self-delete function. It replaces itself on disk at the start of operation, as well as an additional wiping method. The operation and the method vary depending on the device type.

AcidPour was traced back to a hacker group known as UAC-0165. The group is linked to Sandworm. The interesting part is that it has a history of targeting Ukrainian vital infrastructure.

In October 20NUM_, CERT-UA accused an adversary of assaults on at least 11 telecommunications service providers in the country. These assaults occurred between May and September of the previous year.

"[AcidPour] could have been used in 2023," Hegel said to The Hacker News. "It is probable that the actor used AcidRain/AcidPour-related tools constantly throughout the fight. The gap in the viewpoint reflects the public's poor and inadequate understanding of cyber attacks.

The link to Sandworm is strengthened by the fact. Later on,  a threat actor known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have entered four different Ukrainian telecommunications operators. The saddest part is that it disrupted their services on March 13, 2024, three days before AcidPour was discovered.

According to the State Special Communications Service of Ukraine (SSSCIP), Solntsepyok is a Russian advanced persistent threat (APT). It has possible links to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The unique thing is that it also controls Sandworm.

It has been suspected that Solntsepyok broke into Kyivstar's networks as early as May 2023. After some time, the breach became public in late December.

AcidPour was employed in the most recent batch of attacks. But it is unclear yet. The interesting part is that the revelation indicates that threat actors are continually upgrading their strategies. It will surely allow them to execute catastrophic assaults with major operational consequences.

The authors of the study stated that "this progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications."