A new iteration of the AcidRain wiper malware, dubbed AcidPour, has been identified by SentinelOne's threat intelligence division, SentinelLabs. AcidRain, linked to Russian military intelligence, gained notoriety for its role in a widespread cyber-attack on Viasat's KA-SAT satellites in Ukraine in May 2022, causing operational failures across Europe at the start of the Russian invasion.
SentinelLabs researchers Juan Andrés Guerrero-Saade and Tom Hegel noticed suspicious activity involving a Linux binary uploaded from Ukraine on March 16, 2024, showing resemblances to AcidRain's behavior. AcidPour extends AcidRain's capabilities to target Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, which manage raw flash memory and act as a bridge between applications and physical storage devices, respectively.
Although AcidPour shares similarities with AcidRain, the codebases differ significantly, suggesting a potentially different origin. Ukrainian SSCIP attributed AcidPour to UAC-0165, a subgroup of the Sandworm APT group linked to Russia's GRU. The ongoing disruption of Ukrainian telecommunication networks, offline since March 13, has been associated with this campaign, publicly claimed by a GRU-associated hacktivist persona on Telegram.
Although it is unclear whether AcidPour was used in the recent attacks, its discovery highlights how threat actors are continuously refining their methods to orchestrate destructive assaults and cause significant operational disruptions.
NSA Director Rob Joyce highlighted AcidPour as a significant threat, given its expanded capabilities and broader range of targets. SentinelLabs' analysis indicates a strategic shift towards causing more significant operational impact, demonstrating both technical sophistication and a deliberate targeting strategy to disrupt critical infrastructure and communications.