www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
Submitted URL: http://go2.sentinelone.com/MzI3LU1OTS0wODcAAAGSBpS_Do0kN-JTD3GCcXzCdgdrEkbVvUkpOChuoDBJ_6OC_jZH4KR2tRMuVGQLofuZYgnCyGA=
Effective URL: https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/?mkt_tok=MzI3LU1OTS0wODc...
Submission Tags: falconsandbox
Submission: On March 22 via api from US — Scanned from DE
Effective URL: https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/?mkt_tok=MzI3LU1OTS0wODc...
Submission Tags: falconsandbox
Submission: On March 22 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
* * ABOUT CVE DATABASE CONTACT VISIT SENTINELONE.COM Adversary ACIDPOUR | NEW EMBEDDED WIPER VARIANT OF ACIDRAIN APPEARS IN UKRAINE Juan Andrés Guerrero-Saade & Tom Hegel / March 21, 2024 EXECUTIVE SUMMARY * SentinelLabs has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of the Russian invasion. * The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices. * Our analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat clusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this activity to a Sandworm subcluster. * Specific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with the enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since March 13th. * The ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram. On March 16th, 2024, we identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant we refer to as ‘AcidPour’, a wiper with similar and expanded capabilities. Our technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions. Following our initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing our findings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. We reported our initial findings to partners on Saturday, followed by the public analysis thread on Twitter. Our analysis is ongoing. ACIDRAIN CONTEXT On February 24th, 2022, a cyber attack rendered Eutelsat KA-SAT modems inoperable in Ukraine. Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control and reportedly affected vital services across Europe. On March 30th, 2022, we identified a wiper component which we dubbed ‘AcidRain’ as a part of the attack chain that caused this disruption by rendering Surfbeam2 modems inoperable in an attempt to disable vital Ukrainian military communications at the start of the Russian invasion. During our original analysis of AcidRain, we assessed with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin named ‘dstr’. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government. On May 10th, 2022, the European Union and its Member States issued an official condemnation of this activity, holding the Russian government responsible. Despite an abundance of wipers and cyber operations against Ukrainian targets in the subsequent months and years, we had not seen any further uses of AcidRain or similar components. ENTER ACIDPOUR On March 16th, 2024, we observed a new Linux wiper we are naming ‘AcidPour’. We alerted relevant partners immediately to stem the potential for any additional significant regional impact, followed by public dissemination of technical indicators and early analysis to alert the research community and encourage vigilance and contributions. Our initial finding centered on surface similarities with AcidRain, so we placed a large emphasis on ascertaining whether a more conclusive relationship could be established between the two components at a technical level, as well as an understanding of its capabilities. TECHNICAL ANALYSIS Where AcidRain is a Linux wiper compiled for MIPS architecture for compatibility with the devices targeted, AcidPour is compiled for x86 architecture. Despite both targeting Linux systems, the architecture mismatch somewhat limits our ability to compare the compiled codebases. Notably, AcidRain was a hamfisted wiper rather than a specifically tailored solution. It operates by iterating over all possible devices in hardcoded paths, wiping each, before wiping essential directories. Its lack of specificity suggests a lack of familiarity (or time) to adapt to the specifics of the Surfbeam2 targets. However, that also means that AcidRain can serve as a more generic tool able to disable a wider swath of devices reliant on embedded Linux distributions. MD5 1bde1e4ecc8a85cffef1cd4e5379aa44 SHA1 b5de486086eb2579097c141199d13b0838e7b631 SHA256 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728 Size 17,388 bytes Type ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped Filename ‘tmphluyl8zn’ First Submitted 2024-03-16 14:42:53 UTC, Ukraine The AcidPour variant is an ELF binary compiled for x86 (not MIPS), and while it refers to similar devices, the codebase has been modified and expanded to include additional capabilities. Our best automated attempts to compare across different architectures only yields a low confidence < 30% similarity. BinDiff output comparing AcidRain (MIPS) and AcidPour (x86) We took that as a base measurement and proceeded to conduct a deep-dive analysis of the new binary with a focus on testing the hypothesis that the two are related variants, as well as detailing any net new capabilities. Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’. SHARED REBOOT MECHANISM RECURSIVE DIRECTORY PROCESSING WIPING MECHANISMS At the time of discovery, we noted the similarities between AcidRain’s IOCTLs-based device-wiping mechanism and the VPNFilter plugin ‘dstr’, pictured below: AcidPour relies on the same device wiping mechanism: AcidPour’s IOCTL-based wiping mechanism ACIDPOUR’S NET NEW FUNCTIONALITY AcidPour expands upon AcidRain’s targeted linux devices to include Unsorted Block Image (UBI) and Device Mapper (DM) logic. AcidRain’s supported devices: /dev/sd* A generic block device /dev/mtdblock* Flash memory (common in routers and IoT devices) /dev/block/mtdblock* Another potential way of accessing flash memory /dev/mtd* The device file for flash memory that supports fileops /dev/mmcblk* For SD/MMC cards /dev/block/mmcblk* Another potential way of accessing SD/MMC cards /dev/loop* Virtual block devices AcidRain targeted flash chips via MTD for raw access to flash memory in the form of /dev/mtdXX device paths. This capability is expanded in AcidPour to include /dev/ubiXX paths. UBI is an interface built on top of MTD to act as a wear-leveling and volume management system for flash memory. These devices are common in embedded systems dependent on flash memory like handhelds, IoT, networking, or in some cases ICS devices. Block string array of device paths AcidPour also adds logic for handling /dev/dm-XX paths to access mapped devices. The device mapper framework enables logical volume management (LVM), abstracts physical storage into logical volumes for easier resizing, manipulation, and maintenance. These devices act as virtual layers of block devices, enabling features like logical volumes, software RAID, and disk encryption. This would put devices like Storage Area Networks (SANs), Network Attached Storage (NASes), and dedicated RAID arrays in scope for AcidPour’s effects. ALL LOCAL, NO IMPORTS One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2. AcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes. Example of a direct syscall implementation This forces some unusual seemingly-archaic approaches to simple operations like storing and modifying format strings for device paths as needed in the course of their operations. SELF-DELETE Perhaps as a response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a polite Ok. AcidPour overwrites itself on disk at the beginning of its execution ALTERNATE DEVICE WIPING MECHANISM At the time of our discovery of AcidRain, there was some confusion about the involvement of a wiper in taking down the Surfbeam2 modems. As we reverse engineered the malware, we found a second wiping mechanism that didn’t rely on IOCTLs. This alternate mechanism filled a buffer with the highest byte value (0xFFFFFFFF) and proceeded to decrement by 1, overwriting its target with the result. That allowed us to connect AcidRain’s expected output with dumps of the affected devices. With this crucial detail in mind, we were curious as to whether AcidPour implements an analogous alternate wiping mechanism. Depending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with the contents of a 256kb buffer. The specifics of this alternate mechanism require further analysis. ATTRIBUTION Earlier this week, CERT-UA confirmed our findings and publicly attributed the activity to UAC-0165, considered a subgroup of the outdated Sandworm APT. UAC-0165 targets are commonly observed in Ukrainian critical infrastructure, including telecommunications, energy, and government services. In September 2023, Ukraine SSSCIP publicly released a report on their latest findings of Russian linked threat activity. Notably, their section on UAC-0165 points to the continued use of GRU-linked, fake hacktivist personas as a medium for publicly announcing major intrusions and the leak of stolen data from Ukrainian victims. On March 13th, the SolntsepekZ persona publicly claimed the intrusion into Ukrainian telecommunication organizations, three days prior to our discovery of AcidPour. In addition to their Telegram presence, SolntsepekZ makes use of multiple domains under this persona. On Telegram, visitors are currently linked to solntsepek[.]com, which is associated with the hosting IP 185.61.137.155, of BlazingFast Hosting in Kiev. This hosting IP has previously hosted solntsepek[.]info as well as being related to solntsepek[.]org and similar to solntsepek[.]ru. Review of the current state of these alleged target organizations indicates the impact is still ongoing. Below is an example notice currently on display from Triangulum, a group of companies providing telephone and Internet services under the Triacom brand, and Misto TV. Industry colleagues with Kentik are also observing this activity and have shared observations of the impact starting on March 13th as well. Triacom (Translated) Misto-TV (Translated) At this time, we cannot confirm that AcidPour was used to disrupt these ISPs. The longevity of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this disruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link between this hacktivist persona and specific GRU operations. CONCLUSION The discovery of AcidPour in-the-wild serves as a stark reminder that cyber support for this hot conflict continues to evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions and have demonstrated their unwavering intent to do so by a variety of means. The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications. We continue to monitor these activities and hope the broader research community will continue to support this tracking with additional telemetry and analysis. wiper SHARE PDF JUAN ANDRÉS GUERRERO-SAADE Juan Andrés is AVP of Research for SentinelLabs and Distinguished Resident Fellow for Threat Intelligence at the Johns Hopkins SAIS Alperovitch Institute. Before joining SentinelOne, JAGS led multiple threat intelligence teams at Google, Chronicle, was a Principal Security Researcher at GReAT focusing on targeted attacks, and worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. In 2023, JAGS was presented with a Presidential Volunteer Service Award for furthering U.S. cyber preparedness. His research work is the subject of two permanent exhibits at the International Spy Museum in Washington, DC. TOM HEGEL Tom Hegel is a Principal Threat Researcher with SentinelOne. He comes from a background of detection and analysis of malicious actors, malware, and global events with an application to the cyber domain. His past research has focused on threats impacting individuals and organizations across the world, primarily targeted attackers. Prev DOPPELGÄNGER | RUSSIA-ALIGNED INFLUENCE OPERATION TARGETS GERMANY RELATED POSTS DOPPELGÄNGER | RUSSIA-ALIGNED INFLUENCE OPERATION TARGETS GERMANY February 22 2024 GAZA CYBERGANG | UNIFIED FRONT TARGETING HAMAS OPPOSITION December 14 2023 CYBER SOFT POWER | CHINA’S CONTINENTAL TAKEOVER September 21 2023 SEARCH Search ... SIGN UP Get notified when we post new content. * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Thanks! Keep an eye out for new content! RECENT POSTS * Doppelgänger | Russia-Aligned Influence Operation Targets Germany February 22, 2024 * Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations February 21, 2024 * LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor February 20, 2024 LABS CATEGORIES * Crimeware * Security Research * Advanced Persistent Threat * Adversary * LABScon * Security & Intelligence SENTINELLABS In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams. RECENT POSTS * Doppelgänger | Russia-Aligned Influence Operation Targets Germany February 22, 2024 * Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations February 21, 2024 * LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor February 20, 2024 SIGN UP Get notified when we post new content. * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Thanks! Keep an eye out for new content! * Twitter * LinkedIn ©2024 SentinelOne, All Rights Reserved. We'd like to show you notifications for the latest news and updates. AllowCancel PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button Back Vendor Search Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Accept All Cookies