The Silent Specter of Cyber Espionage: Unveiling ‘Sandworm’
Between May and September 2023, an unnerving cyber assault took place. This attack involved a series of strikes on 11 telecommunication service providers in Ukraine. Interestingly, the mastermind behind these attacks was the state-sponsored Russian hacking group, ‘Sandworm’. This was information was made known in a report by Ukraine’s Computer Emergency Response Team (CERT-UA)
source.
The nefarious activities of Sandworm, also known as UAC-0165, resulted in much disruption. Customers faced extensive service interruptions and there was a looming threat of data breaches. Moreover, cyberespionage was carried out through two main programs, POEMGATE and POSEIDON. Specifically, these were used to steal credentials and hijack infected hosts.
To remain undetected, the attackers used a utility named WHITECAT
source. Subsequently, an extensive scanning of the targeted telecom companies’ networks began. The purpose of this was to expose vulnerabilities and entry points.
Consequently, traces of this digital reconnaissance were discovered on compromised servers within the Ukrainian internet region. In contrast, proxy servers like Dante and SOCKS5 facilitated the operations. After the breach of their VPN accounts, the pathway to network infiltration became predominantly unimpeded.
In fact, despite the lack of multi-factor authentication, the battle was largely won at this point. Consequently, the Sandworm operation continued not long after. The hackers shifted their focus towards disabling network and server equipment, with a primary focus on Mikrotik equipment and data storage systems.
The illegal activities of these cyber intruders persisted into October 2023. At this point, CERT-UA observed a new wave of phishing attacks launched by another group, UAC-0006. Delving into the realm of financial deception, the hackers made use of the SmokeLoader malware. This was employed to manipulate accountants’ computers and financial documents
source.
Furthermore, Sandworm proved to be more than just an unseen threat. Indeed, it was acknowledged as an active espionage group, tied to Russia’s GRU (armed forces). In 2023, they exemplified their capabilities through their impressive arsenal of tactics. This encompassed phishing lures, Android malware, and data-wipers, all integral components of their covert operations.
Moreover, these hackers repeatedly utilized tools such as ‘masscan,’ ‘ffuf,’ ‘dirbuster,’ ‘gowitness,’ and ‘nmap’ in their bid to exploit vulnerabilities in web services. In conclusion, CERT-UA continues to urge all service providers in Ukraine to adhere to their security guidelines. This is all in a bid to prevent future similar cyberattacks
source.
If you enjoyed this article, please check out our other articles on CyberNow
