Russian Hackers Unleash Upgraded ‘AcidPour’ Malware on Ukrainian Telecoms

Cybersecurity researchers have uncovered a potent new strain of malware that appears to be an upgraded version of the notorious “AcidRain” wiper used to disrupt Ukrainian communications at the start of Russia’s invasion. Dubbed “AcidPour,” this Linux-based malware expands on AcidRain’s destructive capabilities, potentially putting networking devices, large storage systems like RAIDs, and industrial control systems running Linux at risk.

The Discovery of AcidPour On March 16th, 2024, researchers at SentinelLabs identified a suspicious Linux binary uploaded from Ukraine. Initial analysis revealed striking similarities to AcidRain, the wiper that rendered Viasat’s KA-SAT satellite modems across Europe inoperable in February 2022. This new sample, now confirmed as a variant called “AcidPour,” represents an evolved version of AcidRain with expanded wiping abilities.

It's been an interesting weekend! Eagle-eyed @TomHegel spotted what appears to be a new variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it 'AcidPour'. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵 pic.twitter.com/wY3PJKaOwK
— J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024

Expanded Destructive Potential While AcidRain targeted modems and routers using specific chip architectures, AcidPour is compiled for x86 architecture, opening the door to a broader range of potential targets. The malware’s upgraded functionality includes the ability to wipe Linux Unsorted Block Image (UBI) and Device Mapper (DM) systems, better enabling it to target RAID arrays and large storage devices.

Confirmed Connections to Russian Actors SentinelLabs’ analysis confirms the connection between AcidRain and AcidPour, effectively linking the new malware to threat clusters previously attributed to Russian military intelligence by public sources. Ukraine’s cybersecurity authorities have also attributed this latest activity to a subgroup known as UAC-0165, which has targeted critical infrastructure like telecommunications, energy, and government services.

Potential Link to Telecoms Disruption While specific targets of AcidPour remain unverified, its discovery coincides with the ongoing disruption of multiple Ukrainian telecommunication networks, which have reportedly been offline since March 13th. Notably, a Russian government-linked hacktivist persona called “SolntsepekZ” has claimed responsibility for intrusions into Ukrainian telecom organizations via their Telegram channel.

Continued Cyber Threats from Russia As the conflict in Ukraine rages on, this latest malware development underscores the persistent cyber threats posed by Russian state-sponsored actors. With AcidPour’s expanded capabilities, the stakes are higher for Ukrainian organizations and infrastructure to bolster their cybersecurity defenses against these potent wipers and other disruptive malware.