Russia’s Sandworm Hacking Unit Targets Ukrainian Telecom Providers
Attackers Employed 'Various Malware'
In a recent report from Ukrainian cybersecurity authorities, it has been revealed that the infamous Russian state hacking group known as Sandworm has targeted at least eleven Ukrainian internet and telecom providers since May.
These attacks have resulted in service interruptions and potential data breaches, causing significant concern for Ukraine's computer emergency response team, CERT-UA, an ongoing issue this year.
The Russia and Ukraine war has made telecom providers in both countries prime targets for hackers seeking to disrupt communications and internet access.
While most reported cyberattacks have not caused major shutdowns and are typically resolved within a few hours, the recent attacks on Ukrainian telecom providers carried out by Sandworm between May and September have been particularly concerning.
Sandworm employed various malware, including Poemgate and Poseidon, to steal credentials and take control of infected devices. They also utilized Whitecat to erase any forensic traces, making it difficult to attribute the attacks to them. Furthermore, the hackers exploited compromised VPN accounts that lacked multi-factor authentication, allowing them to infiltrate the victims' networks.
The motive behind these attacks appears to be a combination of stealing sensitive information and disrupting critical infrastructure. The threat actors targeted official social media accounts of the telecom providers, stealing documents, schemes, contracts, and passwords. This stolen information was either made public or used to promote their attacks.
In the final phase of the attack, Sandworm disabled active network and server equipment, as well as data storage systems. This further highlights the group's intention to cause significant disruption and damage to the targeted telecom providers.
The attacks on Ukrainian telecom providers are not isolated incidents. Since the war with Russia began, the Ukrainian telecommunications industry has faced both physical and digital attacks. In the first year of the war alone, the industry incurred an estimated $2.3 billion in losses, as reported by the World Bank. Cyberattacks, although playing a smaller role compared to the destruction of physical infrastructure, have contributed to the overall damage.
As the geopolitical tensions between Russia and Ukraine continue, it is expected that cyber warfare will remain a prominent tool used by state-sponsored hacking groups. The international community must collaborate to address these threats and hold the perpetrators accountable to safeguard the stability and security of critical infrastructure.