Russian hackers broke into Ukrainian telecoms

Russian hackers from the Sandworm group, acting on behalf of the Kremlin, hacked into 11 Ukrainian telecoms from May to September this year. Such data are provided by the Ukrainian CERT-UA, citing both public sources and information from the attacked telecommunications companies.

CERT-UA representatives quoted by Bleeping Computer claim that Russian cybercriminals “interfered” with the communication systems of 11 telecoms in Ukraine. This led to problems such as service interruptions and could also result in data leaks.

The website reminds that Sandworm is an extremely active group whose activities should be linked to the Russian military intelligence service GRU. This group is actively involved in the war in Ukraine, as we have written about in numerous texts, e.g. here. It is worth mentioning that the methods used by this group are primarily social engineering (phishing), and then installing malware on Android phones, as well as the use of wipers (viruses that destroy data on an infected computer).

What vulnerabilities does Sandworm exploit?

According to CERT-UA experts, two backdoors in the systems of communications providers, known as Poemgate and Poseidon.

The first one allows you to capture the login data of an administrator who wants to authenticate his access to the network on the attacked workstation. This is how attackers gain access to additional accounts within the network, which they can later use for further and deeper infiltration.

Poseidon, in turn, is a backdoor in Linux, which, according to CERT-UA, enables the use of a whole range of remote control tools. The Sandworm group then removes traces of its activities using the Whitecat tool.

The final stage of the attack is the use of scripts that disrupt the operation of communication services, as well as wiping backups, which makes it much more difficult for the hacker victim to "recover" and restore normal operations post mortem.