9 August 2023

Ukraine thwarts Sandworm attack targeting military systems


Ukraine thwarts Sandworm attack targeting military systems

Ukraine’s security services have foiled an attempt by Russian state-backed hackers to compromise the combat data exchange system of the Armed Forces of Ukraine.

The Security Service of Ukraine (SSU) has attributed the attacks to Sandworm, a threat actor linked to military unit 74455, a cyberespionage unit of Russia's military intelligence service.

The group is believed to be behind the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the NotPetya malware, various interference efforts in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. Since the beginning of Russia’s invasion of Ukraine in February 2022, the team has launched multiple attacks against Ukrainian entities using destructive malware and ransomware.

According to a technical report released by the SSU, in the recent attacks, the group attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections. The agency noted that Russia’s preparation for this attack was “long and thorough.”

The goal of the operation was to gather intelligence on the Ukrainian military's operations, technical provisions and movements. This was intended to achieve by capturing tablets used by the Ukrainian military on the battlefield. Through these tablets the threat actor wanted to gain access to other connected devices and infect them with malware.

Last week, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new information-stealing campaign targeting Ukraine’s government entities with the MerlinAgent malware.


Back to the list

Latest Posts

North Korean Lazarus Group targets software devs in Operation 99 campaign

North Korean Lazarus Group targets software devs in Operation 99 campaign

Operation 99 aims to steal sensitive information, including source code, configuration files, API keys, and crypto wallet credentials.
20 January 2025
Threat actors impersonating Ukraine’s CERT using AnyDesk

Threat actors impersonating Ukraine’s CERT using AnyDesk

In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA.
20 January 2025
Europol's largest-ever operation seizes millions in criminal assets worldwide

Europol's largest-ever operation seizes millions in criminal assets worldwide

The global operation uncovered 83 crypto wallets and addresses linked to criminal organizations.
20 January 2025