Russian Hackers Goal Ukrainian Telecoms with Upgraded ‘AcidPour’ Malware

Ukrainian Telecoms

The info wiping malware referred to as AcidPour might have been deployed in assaults concentrating on 4 telecom suppliers in Ukraine, new findings from SentinelOne present.

The cybersecurity agency additionally confirmed connections between the malware and AcidRain, tying it to risk exercise clusters related to Russian navy intelligence.

“AcidPour’s expanded capabilities would allow it to raised disable embedded units together with networking, IoT, massive storage (RAIDs), and probably ICS units working Linux x86 distributions,” safety researchers Juan Andres Guerrero-Saade and Tom Hegel said.

AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable on the onset of the Russo-Ukrainian warfare in early 2022 and cripple Ukraine’s navy communications.


It additionally builds upon the latter’s options, whereas concentrating on Linux techniques working on x86 structure. AcidRain, alternatively, is compiled for MIPS structure.

The place AcidRain was extra generic, AcidPour incorporates logic to focus on embedded units, Storage Space Networks (SANs), Community Connected Storage (NAS) home equipment, and devoted RAID arrays.

That mentioned, each the strains overlap on the subject of using the reboot calls and the tactic employed for recursive listing wiping. Additionally similar is the IOCTLs-based device-wiping mechanism that additionally shares commonalities with one other malware linked to Sandworm generally known as VPNFilter.

“One of the fascinating features of AcidPour is its coding type, harking back to the pragmatic CaddyWiper broadly utilized towards Ukrainian targets alongside notable malware like Industroyer 2,” the researchers mentioned.

The C-based malware comes with a self-delete perform that overwrites itself on disk at first of its execution, whereas additionally using an alternate wiping strategy relying on the machine kind.

Russian Hackers

AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is related to Sandworm and has a monitor document of putting Ukrainian critical infrastructure.

The Pc Emergency Response Staff of Ukraine (CERT-UA), in October 2023, implicated the adversary to assaults concentrating on at the least 11 telecommunication service suppliers within the nation between Could and September of final 12 months.


“[AcidPour] may have been utilized in 2023,” Hegel informed The Hacker Information. “It is possible the actor has made use of AcidRain/AcidPour associated tooling persistently all through the warfare. A niche on this perspective speaks to the extent of perception the general public typically has to cyber intrusions – usually fairly restricted and incomplete.”

The ties to Sandworm are additional bolstered by the truth that a risk actor generally known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated 4 totally different telecommunication operators in Ukraine and disrupted their companies on March 13, 2024, three days previous to the invention of AcidPour.

Solntsepyok, in line with the State Particular Communications Service of Ukraine (SSSCIP), is a Russian superior persistent risk (APT) with possible ties to the Foremost Directorate of the Common Employees of the Armed Forces of the Russian Federation (GRU), which additionally operates Sandworm.

It is price declaring that Solntsepyok has additionally been accused of hacking into Kyivstar’s techniques as early as Could 2023. The breach got here to mild in late December.

Whereas it is presently not clear if AcidPour was used within the newest set of assaults, the invention means that risk actors are continually refining their techniques to stage harmful assaults and inflict important operational impression.

“This development reveals not solely a refinement within the technical capabilities of those risk actors but additionally their calculated strategy to pick targets that maximize follow-on results, disrupting vital infrastructure and communications,” the researchers mentioned.

Notify of
Inline Feedbacks
View all comments
Previous Post
Tesla Hack Team Wins $200K and a New Car

Tesla Hack Workforce Wins $200K and a New Automobile

Next Post
Messaging Security

U.S. Justice Division Sues Apple Over Monopoly and Messaging Safety

Related Posts