Russian Hackers Target Ukrainian Telecoms with Upgraded 'AcidPour' Malware

BLOGS

Winston. I

3/22/20242 min read

New findings from SentinelOne reveal that the data wiping malware known as AcidPour has potentially been deployed in attacks targeting four telecom providers in Ukraine.

According to the cybersecurity firm, there are connections between AcidPour and AcidRain, linking them to threat activity clusters associated with Russian military intelligence.

Security researchers Juan Andres Guerrero-Saade and Tom Hegel stated that AcidPour has expanded capabilities, allowing it to effectively disable various embedded devices, including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.

AcidPour, which is a variant of AcidRain, builds upon the features of its predecessor. AcidRain was previously used to render Viasat KA-SAT modems inoperable at the beginning of the Russo-Ukrainian war in early 2022 and disrupt Ukraine's military communications. AcidPour specifically targets Linux systems running on x86 architecture, while AcidRain is compiled for MIPS architecture.

While AcidRain was more generic, AcidPour is designed to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.

However, both strains share similarities in their use of reboot calls, recursive directory wiping methods, and IOCTLs-based device-wiping mechanisms, which are also found in another malware associated with Sandworm, known as VPNFilter.

The researchers noted that AcidPour's coding style is similar to CaddyWiper, a C-based malware commonly used against Ukrainian targets alongside other notable malware like Industroyer 2. AcidPour includes a self-delete function that overwrites itself on disk at the start of execution, along with employing an alternate wiping approach depending on the type of device.

AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is associated with Sandworm and has a track record of striking Ukrainian critical infrastructure.

The Computer Emergency Response Team of Ukraine (CERT-UA), in October 2023, implicated the adversary to attacks targeting at least 11 telecommunication service providers in the country between May and September of last year.

Hegel, speaking to The Hacker News, stated that AcidPour could have been utilized in 2023 and that it's probable the actor consistently employed AcidRain/AcidPour related tools throughout the war. This highlights the limited and incomplete insight the public typically has into cyber intrusions.

The connection to Sandworm is reinforced by the actions of a threat actor known as Solntsepyok, who claimed to have breached four Ukrainian telecommunication operators and disrupted their services on March 13, 2024, just three days before AcidPour was discovered.

According to the State Special Communications Service of Ukraine (SSSCIP), Solntsepyok is a Russian advanced persistent threat (APT) with likely connections to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

Notably, Solntsepyok was accused of hacking into Kyivstar's systems as early as May 2023, with the breach coming to light in late December.

While it's unclear if AcidPour was utilized in the recent attacks, its discovery suggests that threat actors are continuously refining their tactics to conduct destructive assaults and cause significant operational disruptions.

"This evolution not only demonstrates an enhancement in the technical capabilities of these threat actors but also their strategic approach in targeting entities that amplify the impact, disrupting critical infrastructure and communications," stated the researchers.