Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Ukrainian Telcos Targeted by Suspected Sandworm Hackers
Attackers' MO: Data Exfiltration, Followed by Network and Hardware DisruptionRussian hackers are targeting Ukrainian government agencies and critical infrastructure with a barrage of "destructive" malware designed to wipe or destroy IT systems, Kyiv cyber defenders said.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Between May and September, at least 11 Ukrainian telecommunications firms detected hacks that, in some cases, disrupted service, Ukraine's Computer Emergency Response Team, CERT-UA, reported Monday.
Ukraine gave the codename UAC-0165 to the threat actor behind the attacks and said it has moderate confidence that the attacks are being perpetrated by the Sandworm hacking team, which has pummeled Ukraine with cyberattacks for more than half a decade. Western intelligence says that Sandworm - aka Seashell Blizzard, TeleBots and Voodoo Bear - is run by Russia's GRU military intelligence agency.
In January, Ukraine's top information protection agency warned that Russia continues to use data stealers and wiper malware for destruction and cyberespionage as it continues its war of aggression. The State Service of Special Communications and Information Protection of Ukraine reported that the sectors being most targeted are energy, security and defense, telecommunications, technology and development, finance, and logistics.
The SSSCIP recently said Moscow appeared to be stepping up its destructive attacks, especially against the energy sector, as temperatures start to cool (see: Ukraine Cyber Defenders Prepare for Winter).
Hackers' Calling Card: Masscan
The online campaigns against the Ukrainian telecommunications firms in recent months typically began with attackers executing a "rough" scan of the targeted network's subnets, using the Masscan network port scanner, CERT-UA reported. Attackers followed with brute force attacks against unprotected SSH or remote desktop protocol instances to exploit known vulnerabilities and to target public-facing web applications with a variety of tools, including the Ffuf fuzzer, DirBuster penetration testing toolkit, Gowitness screenshot utility and Nmap network mapper.
As part of those efforts, CERT-UA's report said, UAC-0165 often tried to install on breached systems a variety of software: malicious privileged access management software with the codename PoemGate, which can eavesdrop on administrator passwords; tools such as the WhiteCat utility to remove signs of unauthorized access; Poseidon, which is a remote control toolkit; and for web servers, the Weevely web shell designed for post-exploitation remote access.
Attackers often accessed targeted networks using VPN services with IP addresses that came from the Tor anonymity network or that claimed to be Ukrainian, CERT-UA said.
Attackers' modus operandi once they gained remote access was typically to move laterally inside the network, gaining admin privileges and accessing numerous systems, as well as to exfiltrate documents and to steal passwords for official social media accounts as well as tokens for sending SMS messages. They followed up that activity by running "destructor scripts" to disrupt as many IT systems as possible, including networking hardware, CERT-UA reported.
Tracking UAC-0165
Ukraine has been tracking UAC-0165 since at least April, when it traced a hacking campaign targeting an unspecified government agency.
In that attack, hackers used a modified version of a destructive .bat
- batch file - called RoarBat, designed to seek and destroy many different types of files. Ukraine said that attack paralleled one it had discovered in January targeting its national news agency, Ukrinform. Information about that attack was published by the self-proclaimed hacktivist group "CyberArmyofRussia_Reborn" on its Telegram channel on Jan. 17.
Google Cloud's Mandiant threat intelligence division has reported that it has high confidence CyberArmyofRussia_Reborn coordinates with the Russia's GRU military intelligence service, possibly by distributing information stolen by APT28, also known as FancyBear.
In one incident, Mandiant said, CyberArmyofRussia_Reborn boasted about an attack perpetrated by a GRU operator with the codename UNC3810 involving CaddyWiper wiper malware, prior to the malware executing.
"Due to a series of operator errors, UNC3810 was unable to complete the wiper attack before the Telegram post boasting of the disrupted network," Mandiant reported. "Instead, the Telegram post preceded CaddyWiper's execution by 35 minutes, undermining CyberArmyofRussia_Reborn's repeated claims of independence from the GRU."
Multiple security experts have suggested many Russian-aligned hacktivist groups may be funded, if not directly run, by Russian intelligence services (see: Red Cross Tells Hacktivists: Stop Targeting Hospitals).