Ars Technica reports that several Ukrainian telecommunications networks have been disrupted for more than a week following attacks claimed by the threat actor SoIntsepekZ, which were suspected to involve the AcidPour wiper malware.
AcidPour has significant similarities with the AcidRain wiper leveraged by Russia in an attack against satellite internet provider Viasat before it invaded Ukraine, including the same reboot mechanisms, recursive directory wiping logic, and IOCTL-based wiping mechanism, indicating that both payloads were developed by the same developer, a report from SentinelOne revealed. Despite an inconclusive link between the ISP takedowns and AcidPour, researchers hypothesized the potential for a more complex intrusion due to the prolonged nature of disruption. "The transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict significant operational impact. This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications," researchers added.