S1125: AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[1] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[1] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[2][3]
Analyst context for executives and security teams
AcidRain matters because ATT&CK describes it as destructive ELF malware for MIPS-based modems and routers, with association to a major communications outage. For leaders, the key issue is not ordinary endpoint malware coverage; it is whether network and communications infrastructure can be monitored, recovered, and replaced fast enough if device storage is wiped or devices reboot into an unusable state.
Executive priority
Prioritize AcidRain as an availability and resilience risk for organizations that depend on Linux-based network devices, routers, modems, or satellite/telecommunications connectivity. Executives should ask whether critical network devices are inventoried, backed up, segmented, monitored, and recoverable, and whether incident response plans include destructive malware affecting infrastructure rather than just workstations and servers. The ATT&CK relationship to Sandworm Team and impact techniques makes this relevant to crisis readiness, third-party communications dependency planning, and evidence for resilience-focused audits.
Technical view
ATT&CK provides no official detection guidance for AcidRain, so defenders should validate coverage around the related behaviors: File and Directory Discovery, Data Destruction, System Shutdown/Reboot, and Disk Content Wipe on Linux and network devices. SOC and IR teams should confirm whether they can see suspicious ELF execution on network-device-adjacent Linux systems, unexpected file or block-device access, destructive writes, abnormal reboots, and loss of device availability. Because the object targets MIPS modem/router environments, standard EDR-only visibility may be insufficient.
Likely telemetry
- Network device inventory and firmware/platform records, especially Linux or MIPS-based routers and modems
- Network device system logs, reboot events, crash logs, and configuration change logs
- Linux process execution, file access, and block-device write telemetry where available
- Network availability monitoring, device health checks, and outage timelines
- Authentication and administrative access logs for network infrastructure
Detection direction
- Do not assume endpoint detections cover this behavior; validate telemetry specifically for network devices and embedded Linux environments.
- Tune for combinations of discovery activity followed by destructive file, disk, or reboot behavior, especially on infrastructure devices where such activity is rare.
- Correlate sudden device outages or mass reboots with administrative logins, configuration changes, and suspicious file/device access.
- Account for false positives from legitimate firmware upgrades, factory resets, maintenance windows, and administrator-initiated reloads.
- Use the Sandworm Team relationship as threat-intelligence context, but do not treat attribution as a detection condition.
Mitigation priorities
- Maintain an accurate inventory of critical routers, modems, and Linux-based network devices, including architecture and firmware details.
- Harden and restrict administrative access to network infrastructure using least privilege, strong authentication, and segmentation.
- Keep recoverable offline or protected backups of configurations and firmware images for critical devices.
- Exercise incident response runbooks for destructive network-device events, including replacement, reconfiguration, and communications failover.
- Monitor critical connectivity dependencies and ensure business continuity plans address loss of telecommunications or satellite-linked services.
Analyst notes and limits
The supplied ATT&CK object identifies AcidRain as an ELF binary targeting MIPS modems and routers, associated with the ViaSat KA-SAT outage, and related to Sandworm Team. Relationship context links it to discovery and destructive impact techniques, which should drive detection engineering and resilience planning. Local device inventory and telemetry determine whether this is a practical coverage gap.
ATT&CK provides no official detection text, no aliases, and no explicit tactic list on the malware object. This take relies on the official description, external references, and stated relationships only. It does not establish current activity, customer exposure, or guaranteed detection coverage.
AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[1] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[1] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | AcidRain reboots the target system once the various wiping processes are complete.CitationAcidRain JAGS 2022 |
| Enterprise | T1485 | Data Destruction | AcidRain performs an in-depth wipe of the target filesystem and various attached storage devices through either a data overwrite or calling various IOCTLS to erase it.CitationAcidRain JAGS 2022 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | AcidRain iterates over device file identifiers on the target, opens the device file, and either overwrites the file or calls various IOCTLS commands to erase it.CitationAcidRain JAGS 2022 |
| Enterprise | T1083 | File and Directory Discovery | AcidRain identifies specific files and directories in the Linux operating system associated with storage devices.CitationAcidRain JAGS 2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5fa8c8b53558… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AcidRain JAGS 2022
Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
Open source URL -
[2]
AcidRain State Department 2022
Antony J. Blinken, US Department of State. (2022, May 10). Attribution of Russia’s Malicious Cyber Activity Against Ukraine. Retrieved March 25, 2024.
Open source URL -
[3]
Vincens AcidPour 2024
A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024.
Open source URL -
[4]
mitre-attack S1125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.