AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[1] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[1] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
AcidRain performs an in-depth wipe of the target filesystem and various attached storage devices through either a data overwrite or calling various IOCTLS to erase it.[1] |
|
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
AcidRain iterates over device file identifiers on the target, opens the device file, and either overwrites the file or calls various IOCTLS commands to erase it.[1] |
| Enterprise | T1083 | File and Directory Discovery |
AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.[1] |
|
| Enterprise | T1529 | System Shutdown/Reboot |
AcidRain reboots the target system once the various wiping processes are complete.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |
Sandworm Team is linked to AcidRain deployment during the ViaSat KA-SAT incident in 2022.[3][1] |
References
- Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
- Antony J. Blinken, US Department of State. (2022, May 10). Attribution of Russia’s Malicious Cyber Activity Against Ukraine. Retrieved March 25, 2024.