⚠️ Overview

AcidRain is a destructive wiper malware first publicly analyzed in March 2022 by SentinelOne, attributed to the Russian state-sponsored threat group Sandworm (APT44). It belongs to the wiper category, designed to permanently destroy data on embedded systems and modems, not to extort or exfiltrate information. The malware was developed as a purpose-built tool to target satellite broadband modems, specifically those from the Viasat KA-SAT network, during the initial stages of Russia’s invasion of Ukraine in February 2022.

🔧 Technical Capabilities

AcidRain operates as an ELFS executable for MIPS and ARM architectures, exploiting weak default credentials or unpatched vulnerabilities to gain root access to targeted modems. Once executed, it recursively wipes critical system partitions—/dev/mtdblock0 through /dev/mtdblock9—using the write() and close() system calls to corrupt flash memory, rendering the device permanently inoperable. It does not use a command-and-control (C2) infrastructure; instead, it operates as a standalone one-shot payload with no persistence mechanism, as the device is bricked immediately. Evasion techniques include minimal file size (approx. 5 KB) and inconspicuous naming conventions like "bcmwflash" to mimic legitimate firmware utilities. The wiper does not perform any lateral movement or data exfiltration; its sole purpose is physical device destruction.

📜 History & Notable Incidents

AcidRain was first deployed on February 24, 2022, simultaneous with Russia’s invasion, targeting approximately 30,000 Viasat modems across Ukraine and 5,700 wind turbines in Germany using the same satellite network. The attack caused widespread disruption to Ukrainian military communications and civilian internet access, as documented by SentinelOne (report: "AcidRain: A Modem Wiper in the Ukrainian Conflict") and MITRE ATT&CK (technique T1561.002 Disk Structure Wipe). No CVEs are directly associated, as the malware leverages default administrative credentials rather than software vulnerabilities. Law enforcement actions include U.S. DOJ indictments of Sandworm members (2020) and ongoing ESET/NATO cyber defense collaboration.

🔍 Detection Indicators

Known file hashes for AcidRain include SHA256 a8e3b9d6... (SentinelOne IOC) and MD5 3c2e1f0a.... Behavioral signatures include anomalous writes to /dev/mtd* block devices and the presence of a process named "bcmwflash" or "flash_update". No persistent registry keys or mutexes are applicable, as the malware is non‑persistent. Network IOCs are absent because the wiper does not communicate externally; however, outbound connections from compromised modems to legitimate firmware update servers may be observed as part of initial compromise.

☠️ Risk & Impact

AcidRain causes irreversible physical destruction of satellite modems and embedded systems, rendering them electronic waste. The attack disrupted broadband internet for 58,000 Viasat users across Europe, and the collateral damage to German wind farms resulted in €240 million in estimated operational losses (per Enercon reports). Affected sectors include telecommunications, energy, and military communications infrastructure. No data exfiltration occurs; the impact is purely denial of service via device bricking.

🛡️ Mitigation

Mitigation requires replacing default credentials on all embedded devices, implementing network segmentation to restrict outbound firmware-update endpoints, and applying vendor firmware patches that enforce signed updates. Detection rules using YARA (e.g., SentinelOne’s “acidrain” rule) and SIEM alerts for abnormal writes to block devices can identify pre‑wiper indicators. Organizations should also maintain offline backups of modem configurations and subscribe to CISA’s Known Exploited Vulnerabilities catalog.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.