October 16, 2023 at 02:08PM
The Russian hacking group known as ‘Sandworm’ has compromised eleven telecommunication service providers in Ukraine between May and September 2023, according to a report by Ukraine’s Computer Emergency Response Team (CERT-UA). The hackers interfered with communication systems, causing service interruptions and potential data breaches. Sandworm used various tactics, including phishing lures, Android malware, and data-wipers, as well as tools like masscan, ffuf, dirbuster, and nmap to exploit vulnerabilities. They also used backdoors called Poemgate and Poseidon for unauthorized access. CERT-UA recommends that service providers follow a guide to enhance their system security.
Key takeaways from the meeting notes:
1. The state-sponsored Russian hacking group known as ‘Sandworm’ has targeted and compromised eleven telecommunication service providers in Ukraine between May and September 2023.
2. This information is based on a report by Ukraine’s Computer Emergency Response Team (CERT-UA) using ‘public resources’ and data retrieved from breached providers.
3. Sandworm’s interference with the communication systems of these telcos has resulted in service interruptions and potential data breaches.
4. Sandworm, linked to Russia’s GRU, has focused on Ukraine in 2023 and employs tactics such as phishing, Android malware, and data-wipers.
5. Their attacks start with reconnaissance using the ‘masscan’ tool to scan target networks, seeking open ports and unprotected RDP or SSH interfaces.
6. The attackers also exploit vulnerabilities in web services and compromise VPN accounts without multi-factor authentication.
7. Sandworm employs proxy servers to make their intrusions appear less suspicious, routing malicious activities through previously compromised servers in the Ukrainian internet region.
8. CERT-UA has identified two backdoors in breached ISP systems: ‘Poemgate,’ which captures admin credentials, and ‘Poseidon,’ a Linux backdoor enabling remote computer control.
9. Sandworm uses the ‘Whitecat’ tool to remove traces of the attack and delete access logs.
10. In the final stages of the attack, the hackers deploy scripts to disrupt services, particularly targeting Mikrotik equipment, and wipe backups to hinder recovery.
11. CERT-UA recommends that all service providers in Ukraine follow their guidelines to enhance their system’s security against cyber intruders.
Please let me know if you need any further information or assistance.