Ukraine’s response team to computer security incidents (CERT-UA) said it detected and disrupted a malicious campaign in March 2024 aimed at disrupting the stable operation of information and communication systems (ICS) of around twenty entities in the energy, water, and heat supply sectors in ten regions of Ukraine.

CERT-UA has attributed the campaign to a threat actor it tracks as UAC-0133, which has been conducting destructive cyberattacks on water supply facilities since 2022. The Ukrainian defenders believe that UAC-0133 is a subcluster of the Russia-linked state-backed threat actor Sandworm (APT44).

Earlier this month, cybersecurity firm Mandiant revealed that a group of “hacktivists” known as “CyberArmyofRussia_Reborn,” associated with Sandworm, has targeted a hydroelectric power station in France and water supply facilities in the United States and Poland.

Additionally, researchers at Finnish security company WithSecure (formerly F-Secure Business) said they discovered a new backdoor, dubbed ‘Kapeka,’ which they linked to Sandstorm. The tool has been used in attacks against Eastern European targets since at least the middle of the year 2022.

CERT-UA’s analysis of infected computers (running Linux OS) showed that the attackers employed the well-known backdoor Queueseed (Knuckletouch, Icywell, Wrongsens, Kapeka) and a new set of tools like a Linux variant of Queueseed named ‘BiasBoat’ and malicious software called ‘LoadGrip.’ The tools are designed to automate the management processes of technological processes (SCADA) using specialized software of domestic production. On Windows systems, the threat actor deployed the Queueseed backdoor and the Gissipflow malware.

The team noted that BiasBoat was deployed in the form of an encrypted file tailored to a specific server, for which the threat actor used a pre-obtained “machine-id” value.

CERT-UA said it confirmed the compromise of at least three “supply chains,” suggesting that the attackers gained unauthorized access either through specialized software containing backdoors and vulnerabilities, or exploiting the technical capability of suppliers' employees to access organizations' ICS for maintenance and technical support purposes.

The threat actor then used the compromised systems to move laterally through the corporate networks. For instance, on such computers, directories containing previously created PHP web shells like Weevely, PHP tunnel Regeorg.neo, or Pivotnacci were discovered.

The team said it informed the affected organizations, helped to set up server and active network equipment and took steps to strengthen defenses.