Home Technology Never-before-seen data wiper may have been used by Russia against Ukraine

Never-before-seen data wiper may have been used by Russia against Ukraine

0
Never-before-seen data wiper may have been used by Russia against Ukraine
Never-before-seen data wiper may have been used by Russia against Ukraine

Getty Pictures

Researchers have unearthed never-before-seen wiper malware tied to the Kremlin and an operation two years in the past that took out greater than 10,000 satellite tv for pc modems positioned primarily in Ukraine on the eve of Russia’s invasion of its neighboring nation.

AcidPour, as researchers from safety agency Sentinel One have named the brand new malware, has stark similarities to AcidRain, a wiper found in March 2022 that Viasat has confirmed was used within the assault on its modems earlier that month. Wipers are malicious purposes designed to destroy saved data or render units inoperable. Viasat stated AcidRain was put in on greater than 10,000 Eutelsat KA-SAT modems used by the broadband supplier seven days previous to the March 2022 discovery of the wiper. AcidRain was put in on the units after attackers gained entry to the corporate’s personal community.

Sentinel One, which additionally found AcidRain, stated on the time that the sooner wiper had sufficient technical overlaps with malware the US authorities attributed to the Russian authorities in 2018 to make it doubtless that AcidRain and the 2018 malware, generally known as VPNFilter, have been carefully linked to the identical staff of builders. In flip, Sentinel One’s report Thursday noting the similarities between AcidRain and AcidPour offers proof that AcidPour was additionally created by builders engaged on behalf of the Kremlin.

Technical similarities embrace:

  • Use of the identical reboot mechanism
  • The precise logic of recursive listing wiping
  • The identical IOCTL-based wiping mechanism.

AcidPour additionally shares programming similarities with one other piece of malware attributed to Sandworm: CaddyWiper, which was used against numerous targets in Ukraine.

“AcidPour is programmed in C with out counting on statically compiled libraries or imports,” Thursday’s report famous. “Most performance is carried out by way of direct syscalls, many referred to as by means of using inline meeting and opcodes.” Builders of CaddyWiper used the identical strategy.

Bolstering the speculation that AcidPour was created by the identical Russian menace group behind earlier assaults on Ukraine, a consultant with Ukraine’s State Service of Particular Communications and Data Safety instructed Cyberscoop that AcidPour was linked to UAC-0165, a splinter group related to Sandworm (a a lot bigger menace group run by Russia’s navy intelligence unit, GRU). Representatives with the State Service of Particular Communications and Data Safety of Ukraine didn’t instantly reply an e mail in search of remark for this put up.

Sandworm has a protracted historical past of focusing on Ukrainian crucial infrastructure. Ukrainian officers stated final September that UAC-0165 often props up faux hacktivist personas to take credit score for assaults the group carries out.

Sentinel One researchers Juan Andrés Guerrero-Saade and Tom Hegel went on to invest that AcidPour was used to disrupt a number of Ukrainian telecommunications networks, which have been down since March 13, three days earlier than the researchers found the brand new wiper. They level to statements a persona generally known as SolntsepekZ made on Telegram that took accountability for hacks that took out Triangulum, a consortium offering phone and Web companies below the Triacom model, and Misto TV.

A message a persona known as SolntsepekZ posted to Telegram.

A message a persona generally known as SolntsepekZ posted to Telegram.

Sentinel One

The weeklong outage has been confirmed anecdotally and by Community intelligence agency Kentik and content material supply community Cloudflare, with the latter indicating the websites remained inoperable on the time this put up went reside on Ars. As of Thursday afternoon California time, Misto-TV’s web site displayed the next community outage discover:

Outage notice displayed on Misto-TV's website.
Enlarge / Outage discover displayed on Misto-TV’s web site.

“At the moment, we can not verify that AcidPour was used to disrupt these ISPs,” Guerrero-Saade and Hegel wrote in Thursday’s put up. “The longevity of the disruption suggests a extra complicated assault than a easy DDoS or nuisance disruption. AcidPour, uploaded three days after this disruption began, would match the invoice for the requisite toolkit. If that’s the case, it might function one other hyperlink between this hacktivist persona and particular GRU operations.”

The researchers added:

“The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict important operational influence. This development reveals not solely a refinement within the technical capabilities of those menace actors but in addition their calculated strategy to pick targets that maximize follow-on results, disrupting crucial infrastructure and communications.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here