Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Ukrainian Telcos Targeted by Suspected Sandworm Hackers

Attackers' MO: Data Exfiltration, Followed by Network and Hardware Disruption
Ukrainian Telcos Targeted by Suspected Sandworm Hackers
Communication gear on the TV tower of Central Television of Ukraine in Kyiv, Ukraine, in a photo from 2014 (Image: Shutterstock)

Russian hackers are targeting Ukrainian government agencies and critical infrastructure with a barrage of "destructive" malware designed to wipe or destroy IT systems, Kyiv cyber defenders said.

See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Between May and September, at least 11 Ukrainian telecommunications firms detected hacks that, in some cases, disrupted service, Ukraine's Computer Emergency Response Team, CERT-UA, reported Monday.

Ukraine gave the codename UAC-0165 to the threat actor behind the attacks and said it has moderate confidence that the attacks are being perpetrated by the Sandworm hacking team, which has pummeled Ukraine with cyberattacks for more than half a decade. Western intelligence says that Sandworm - aka Seashell Blizzard, TeleBots and Voodoo Bear - is run by Russia's GRU military intelligence agency.

In January, Ukraine's top information protection agency warned that Russia continues to use data stealers and wiper malware for destruction and cyberespionage as it continues its war of aggression. The State Service of Special Communications and Information Protection of Ukraine reported that the sectors being most targeted are energy, security and defense, telecommunications, technology and development, finance, and logistics.

The SSSCIP recently said Moscow appeared to be stepping up its destructive attacks, especially against the energy sector, as temperatures start to cool (see: Ukraine Cyber Defenders Prepare for Winter).

Hackers' Calling Card: Masscan

The online campaigns against the Ukrainian telecommunications firms in recent months typically began with attackers executing a "rough" scan of the targeted network's subnets, using the Masscan network port scanner, CERT-UA reported. Attackers followed with brute force attacks against unprotected SSH or remote desktop protocol instances to exploit known vulnerabilities and to target public-facing web applications with a variety of tools, including the Ffuf fuzzer, DirBuster penetration testing toolkit, Gowitness screenshot utility and Nmap network mapper.

As part of those efforts, CERT-UA's report said, UAC-0165 often tried to install on breached systems a variety of software: malicious privileged access management software with the codename PoemGate, which can eavesdrop on administrator passwords; tools such as the WhiteCat utility to remove signs of unauthorized access; Poseidon, which is a remote control toolkit; and for web servers, the Weevely web shell designed for post-exploitation remote access.

Attackers often accessed targeted networks using VPN services with IP addresses that came from the Tor anonymity network or that claimed to be Ukrainian, CERT-UA said.

Attackers' modus operandi once they gained remote access was typically to move laterally inside the network, gaining admin privileges and accessing numerous systems, as well as to exfiltrate documents and to steal passwords for official social media accounts as well as tokens for sending SMS messages. They followed up that activity by running "destructor scripts" to disrupt as many IT systems as possible, including networking hardware, CERT-UA reported.

Tracking UAC-0165

Ukraine has been tracking UAC-0165 since at least April, when it traced a hacking campaign targeting an unspecified government agency.

In that attack, hackers used a modified version of a destructive .bat - batch file - called RoarBat, designed to seek and destroy many different types of files. Ukraine said that attack paralleled one it had discovered in January targeting its national news agency, Ukrinform. Information about that attack was published by the self-proclaimed hacktivist group "CyberArmyofRussia_Reborn" on its Telegram channel on Jan. 17.

Google Cloud's Mandiant threat intelligence division has reported that it has high confidence CyberArmyofRussia_Reborn coordinates with the Russia's GRU military intelligence service, possibly by distributing information stolen by APT28, also known as FancyBear.

In one incident, Mandiant said, CyberArmyofRussia_Reborn boasted about an attack perpetrated by a GRU operator with the codename UNC3810 involving CaddyWiper wiper malware, prior to the malware executing.

"Due to a series of operator errors, UNC3810 was unable to complete the wiper attack before the Telegram post boasting of the disrupted network," Mandiant reported. "Instead, the Telegram post preceded CaddyWiper's execution by 35 minutes, undermining CyberArmyofRussia_Reborn's repeated claims of independence from the GRU."

Multiple security experts have suggested many Russian-aligned hacktivist groups may be funded, if not directly run, by Russian intelligence services (see: Red Cross Tells Hacktivists: Stop Targeting Hospitals).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.