April 22, 2024 at 08:34AM
The Russian hacker group Sandworm, also known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44, carried out disruptive cyberattacks on critical infrastructure in Ukraine. The attacks targeted energy, water, and heating suppliers, exploiting weaknesses in cybersecurity practices. CERT-UA conducted counter-cyberattack operations from March 7 to March 15, 2024, and identified indicators of compromise.
Key takeaways from the meeting notes:
1. The Russian hacker group Sandworm, also known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44, targeted around 20 critical infrastructure facilities in Ukraine, including energy, water, and heating suppliers in 10 regions.
2. Sandworm is believed to be associated with Russia’s GRU and is known for carrying out cyberespionage and destructive attacks, using a combination of previously documented malware and new malicious tools such as BIASBOAT and LOADGRIP for Linux.
3. The attacks were made easier by poor cybersecurity practices at the targeted facilities, including lack of network segmentation and insufficient defenses at the software supplier level.
4. CERT-UA engaged in extensive counter-cyberattack operations from March 7 to March 15, 2024, which included informing affected enterprises, removing malware, and enhancing security measures.
5. Sandworm relied on various malware, including QUEUESEED/IcyWell/Kapeka for Windows, BIASBOAT and LOADGRIP for Linux, and GOSSIPFLOW for Windows, along with other open source tools, to maintain persistence, hide malicious processes, and elevate their privileges on compromised systems.
6. The purpose of these attacks was believed to be to increase the effect of Russian missile strikes on the targeted infrastructure facilities.
7. Mandiant exposed Sandworm’s connection to three hacktivist-branded Telegram groups that have claimed attacks on critical infrastructure in Europe and the U.S.
8. CERT-UA’s report provides a long list of indicators of compromise, including files, hosts, and network details.
Please let me know if you need any further clarification or additional information from the meeting notes.