Ukrainian telcos subjected to Sandworm attacks
BleepingComputer reports that Ukraine had 11 of its telecommunications service providers breached by the Russian state-backed hacking operation Sandworm from May to September, resulting in service disruptions and possible data compromise.
Intrusions commenced with targeted network scans using the 'masscan' tool, with Sandworm later working to determine vulnerable SSH or RDP interfaces, as well as ports, to facilitate network breaches, according to a report from Ukraine's Computer Emergency Response Team. Aside from using breached VPN accounts and other tools to determine other web service flaws, Sandworm also utilized various proxy servers to conceal malicious activity and deploy the Poemgate and Poseidon backdoors. Admin credentials seeking to use the compromised endpoint are being targeted by Poemgate to facilitate additional account access, while numerous remote control tools have been discovered within the Poseidon Linux backdoor. The report also showed that attacks launched by Sandworm also involved the targeting of Miktrotik equipment and other systems to disrupt services as it removes traces of the intrusions.