Researchers have discovered never-before-seen wiper malware linked to the Kremlin and a two-year-old operation that destroyed more than 10,000 satellite modems, mostly in Ukraine, on the eve of Russia's invasion of the neighboring country. discovered.
AcidPour, as researchers at security firm Sentinel One named the new malware, is very similar to AcidRain, a wiper discovered in March 2022, but Viasat said it was used to attack its modems earlier that month. I have confirmed that. Wiper is a malicious application designed to destroy stored data or render your device inoperable. Viasat said AcidRain was installed on more than 10,000 Eutelsat KA-SAT modems used by broadband providers seven days before the wipers were discovered in March 2022. AcidRain was installed on the device after the attacker gained access to the company's private network.
Sentinel One, which also discovered AcidRain, said at the time that early wipers had enough technical overlap with malware that the U.S. government attributed to the Russian government in 2018, and that AcidRain and a 2018 malware known as VPNFilter were closely related. He said it was likely related. On the same developer team. Second, Thursday's Sentinel One report, which noted similarities between AcidRain and AcidPour, provides evidence that AcidPour was also created by developers working on behalf of the Kremlin.
The technical similarities are:
- Using the same restart mechanism
- Exact logic for recursive directory cleaning
- Same IOCTL-based wipe mechanism.
AcidPour also shares programming similarities with two other malware attributed to Sandworm. One is Industroyer2, which he targeted a high-voltage substation in Ukraine in 2022, and the other is CaddyWiper, which was used against various targets in Ukraine.
“AcidPour is programmed in C with no dependencies on statically compiled libraries or imports,” Thursday's report notes. “Most functionality is implemented via direct syscalls, and much of it is called using inline assembly and opcodes.” CaddyWiper and his Industroyer developers used the same approach.
Bolstering the theory that AcidPour was created by the same Russian threat group behind previous attacks on Ukraine, a representative of Ukraine's State Special Communications and Information Protection Service told CyberScoop that AcidPour was created by Sandworm (Russia's a much larger threat group run by the military intelligence unit GRU). Representatives of Ukraine's State Special Communications and Information Protection Service did not immediately respond to an email seeking comment on the post.
Sandworm has a long history of targeting critical infrastructure in Ukraine. Ukrainian authorities said last September that UAC-0165 regularly assumed fake hacktivist personas in an effort to steal credit for attacks carried out by the group.
Sentinel One researchers Juan Andrés Guerrero-Saade and Tom Hegel further speculate that AcidPour may have been used to disrupt multiple telecommunications networks in Ukraine. The network has been down since March 13, three days before researchers discovered the new wiper. They point to a statement made on Telegram by a person known as SolntsepekZ, who took responsibility for the hack that destroyed the consortium Triangulum and Misto TV, which provide telephone and internet services under the Triacom brand.
Week-long outages have been confirmed anecdotally and by network intelligence companies. kentic The latter indicates that the site remains inoperable at the time this post was published on Ars. As of Thursday afternoon California time, his website for Misto-TV displayed a network outage notice that read:
“At this time, we cannot confirm that AcidPour was used to interfere with these ISPs,” Guerrero-Saade and Hagel wrote in Thursday's post. “The prolonged disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded three days after this disruption began, fits the requirements of the necessary toolkit. If so, it could serve as another link between this hacktivist persona and specific GRU activities.”
The researchers added:
“The transition from AcidRain to AcidPour has expanded capabilities and underscores our strategic intent to have a significant operational impact. , it also reveals a calculated approach to selecting targets that disrupt critical infrastructure and communications and maximize follow-on effects.”