X-Industry

On 16 March 2024, Sentinel Labs identified a suspicious Linux binary uploaded from Ukraine.  Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer).  Since our initial finding, no similar samples or variants have been detected or publicly reported until now.  This new sample is a confirmed variant called ‘AcidPour’, a wiper with similar and expanded capabilities.  The technical analysis suggests that AcidPour’s expanded capabilities would enable it to disable better-embedded devices, including networking, IoT, ample storage (RAIDs), and possibly ICS devices running Linux x86 distributions.[1]

Following Sentinel’s initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing our findings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. We reported our initial findings to partners on Saturday, followed by the public analysis thread on Twitter. Our analysis is ongoing.

AcidRain Context—On 24 February 2022, a cyber-attack rendered Eutelsat KA-SAT modems inoperable in Ukraine. The spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control and reportedly affected vital services across Europe.

On 30 March 2022, analysts identified a wiper component called AcidRain. This component is part of the attack chain that caused this disruption by rendering Surfbeam2 modems inoperable in an attempt to disable vital Ukrainian military communications at the start of the Russian invasion.

During our original analysis of AcidRain, we assessed with medium confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin named ‘dstr’.  In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government.

On 10 May 2022, the European Union (EU) and its Member States issued an official condemnation of this activity, holding the Russian government responsible.  Despite many wipers and cyber operations against Ukrainian targets in the subsequent months and years, we had not seen any further uses of AcidRain or similar components.

Enter AcidPour - On 16 March 2024, Sentinel observed a new Linux wiper we are naming ‘AcidPour’.  Analysts alerted relevant partners immediately to stem the potential for any additional significant regional impact, followed by public dissemination of technical indicators and early analysis to alert the research community and encourage vigilance and contributions.

The initial finding centered on surface similarities with AcidRain, so researchers placed a large emphasis on ascertaining whether a more conclusive relationship could be established between the two components at a technical level and understanding of their capabilities.

Technical Analysis - Where AcidRain is a Linux wiper compiled for MIPS architecture for compatibility with the devices targeted, AcidPour is compiled for x86 architecture.  Despite both targeting Linux systems, the architecture mismatch limits our ability to compare the compiled codebases.

Notably, AcidRain was a ham-fisted wiper rather than a specifically tailored solution.  It operates by iterating over all possible devices in hardcoded paths, wiping each before wiping essential directories.  Its lack of specificity suggests a lack of familiarity (or time) to adapt to the specifics of the Surfbeam2 targets.  However, that also means that AcidRain can serve as a more generic tool able to disable a wider swath of devices reliant on embedded Linux distributions.

The AcidPour variant is an ELF binary compiled for x86 (not MIPS), and while it refers to similar devices, the codebase has been modified and expanded to include additional capabilities.  Sentinel’s best-automated attempts to compare across different architectures only yield a low confidence of < 30% similarity.

BinDiff output comparing AcidRain (MIPS) and AcidPour (x86)

This was understood as a base measurement, and a deep-dive analysis of the new binary was conducted to test the hypothesis that the two are related variants and detailing any new net capabilities.  Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’.

Shared Reboot Mechanism

Recursive Directory Processing

Wiping Mechanisms

At the time of discovery, we noted the similarities between AcidRain’s IOCTLs-based device-wiping mechanism and the VPNFilter plugin ‘dstr’, pictured below:

AcidPour relies on the same device wiping mechanism:

AcidPour’s IOCTL-based wiping mechanism

AcidPour’s Net New Functionality—AcidPour expands upon AcidRain’s targeted Linux devices to include Unsorted Block Image (UBI) and Device Mapper (DM) logic.

AcidRain’s supported devices:

AcidRain targeted flash chips via MTD for raw access to flash memory in the form of /dev/mtdXX device paths.  This capability is expanded in AcidPour to include /dev/ubiXX paths. UBI is an interface built on top of MTD to act as a wear-leveling and volume management system for flash memory.  These devices are common in embedded systems dependent on flash memory like handhelds, IoT, networking, or in some cases ICS devices.

Block string array of device paths

AcidPour also adds logic for handling /dev/dm-XX paths to access mapped devices.  The device mapper framework enables logical volume management (LVM) and abstracts physical storage into logical volumes for easier resizing, manipulation, and maintenance.  These devices act as virtual layers of block devices, enabling features like logical volumes, software RAID, and disk encryption.  This would put devices like Storage Area Networks (SANs), Network Attached Storage (NASes), and dedicated RAID arrays in scope for AcidPour’s effects.

All Local, no imports—One of AcidPour's most interesting aspects is its coding style, which is reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2.

AcidPour is programmed in C without relying on statically compiled libraries or imports. Most functionality is implemented via direct syscalls, many of which are called through the use of inline assembly and opcodes.

Example of a direct syscall implementation

This forces some unusual, seemingly archaic approaches to simple operations like storing and modifying format strings for device paths as needed during their operations.

Self-Delete

Perhaps in response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0 to 255 followed by a polite Ok.

AcidPour overwrites itself on the disk at the beginning of its execution

Alternate Device Wiping Mechanism - At the time of Sentinel’s discovery of AcidRain, there was some confusion about the involvement of a wiper in taking down the Surfbeam2 modems.  Analysts reverse-engineered the malware and found a second wiping mechanism that didn’t rely on IOCTLs.  This alternate mechanism filled a buffer with the highest byte value (0xFFFFFFFF) and proceeded to decrement by 1, overwriting its target with the result.  That allowed researchers to connect AcidRain’s expected output with dumps of the affected devices.  With this crucial detail in mind, caution was employed as to whether AcidPour implements an analogous alternate wiping mechanism.

Depending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with the contents of a 256kb buffer.  The specifics of this alternate mechanism require further analysis.

Attribution – Last week, CERT-UA confirmed Sentinel Labs findings and publicly attributed the activity to UAC-0165, considered a subgroup of the outdated Sandworm APT.  UAC-0165 targets are common in Ukrainian critical infrastructure, including telecommunications, energy, and government services.

In September 2023, Ukraine SSSCIP publicly released a report on its latest findings of Russian-linked threat activity.[2] Notably, its section on UAC-0165 points to the continued use of GRU-linked, fake hacktivist personas as a medium for publicly announcing major intrusions and the leak of stolen data from Ukrainian victims.

On 13 March, the SolntsepekZ persona publicly claimed the intrusion into Ukrainian telecommunication organizations three days before AcidPour was discovered.

In addition to its Telegram presence, SolntsepekZ uses multiple domains under this persona. On Telegram, visitors are linked to Solntsepek [.]com, which is associated with BlazingFast Hosting's hosting IP 185.61.137.155 in Kyiv. This IP has previously hosted solntsepek[.]info, is related to solntsepek[.]org, and is similar to solntsepek[.]ru.

A review of the current state of these alleged target organizations indicates the impact is still occurring. Below is an example notice currently on display from Triangulum, a group of companies providing telephone and Internet services under the Triacom brand and Misto TV. Industry colleagues with Kentik are also observing this activity and have shared observations of the impact starting on March 13th.

Triacom (Translated)
Misto-TV (Translated)

At this time, Sentinel cannot confirm that AcidPour was used to disrupt these ISPs.  The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption.  AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit.  If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations.

Conclusion - The discovery of AcidPour in the wild is a stark reminder that cyber support for this hot conflict continues to evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so through various means.

With its expanded capabilities, the transition from AcidRain to AcidPour underscores the strategic intent to inflict significant operational impact. This progression reveals a refinement in these threat actors' technical capabilities and their calculated approach to selecting targets that maximize follow-on effects, disrupting critical infrastructure and communications.

Sentinel Labs continues to monitor these activities and hopes the broader research community will continue to support this tracking with additional telemetry and analysis.

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/

[2] https://cip.gov.ua/en/news/yak-zminyuyutsya-taktiki-cili-i-spromozhnosti-khakerskikh-grup-uryadu-rf-ta-kontrolovanikh-nim-ugrupovan-zvit