S1125 AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.3 AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.3 US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.21
| Item | Value |
|---|---|
| ID | S1125 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 25 March 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1485 | Data Destruction | AcidRain performs an in-depth wipe of the target filesystem and various attached storage devices through either a data overwrite or calling various IOCTLS to erase it.3 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | AcidRain iterates over device file identifiers on the target, opens the device file, and either overwrites the file or calls various IOCTLS commands to erase it.3 |
| enterprise | T1083 | File and Directory Discovery | AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.3 |
| enterprise | T1529 | System Shutdown/Reboot | AcidRain reboots the target system once the various wiping processes are complete.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | Sandworm Team is linked to AcidRain deployment during the ViaSat KA-SAT incident in 2022.13 |
References
-
A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024. ↩↩
-
Antony J. Blinken, US Department of State. (2022, May 10). Attribution of Russia’s Malicious Cyber Activity Against Ukraine. Retrieved March 25, 2024. ↩
-
Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024. ↩↩↩↩↩↩↩