At least 11 telecommunications services providers in Ukraine have been hit with destructive attacks between May 11, 2023, and September 27, 2023, Computer Emergency Response Team of Ukraine (CERT-UA) has warned. In some cases, the attacks resulted in the disruption of the services.
The agency has attributed these campaigns to Sandworm (UAC-0165), a threat actor believed to be one of Russia's military cyber units.
The attack typically starts with a reconnaissance phase, where the attackers use previously compromised servers to run port scans using a popular network scanner called Masscan to identify remote management interfaces such as SSH or RDP. If such interfaces are found and access to them is not restricted, the threat actors attempt to find the correct combination of credentials to log in.
Besides SSH and RDP protocols, the threat actors use compromised VPN accounts to gain access to the networks.
The attackers also use web fuzzers, brute force tools and free network scanners such as ffuf, dirbuster, gowitness, and nmap to analyze publicly accessible services like web applications, personal accounts, hosting services, etc.
An analysis of a compromised server revealed that the attackers planted a backdoor in the form of a PAM module, tracked as POEMGATE, that allows authorizing using a static password and saves credentials entered by a user in a file using an XOR cipher. The team says that such backdoors are usually planted beforehand and they allow to obtain valid admin credentials that could be used to gain access to other server and network equipment.
In some cases, the attackers installed a variant of the Poseidon remote access tool (RAT), or the Weevely backdoor (if the target company provides hosting services).
Once inside the victim network, the attackers attempt to identify so-called jump hosts (an intermediary server between a client machine and a network of machines the client would like to connect to) and admin servers. The intruders also exfiltrate sensitive data such as documents, blueprints, credentials, and other information.
The final stage of the attack involves the attackers using destruction scripts to wreck network and server equipment, as well as data storage systems.
A more detailed technical analysis along with Indicators of Compromise associated with these malicious campaigns are available in CERT-UA’s security advisory here.
