The Russia-ukraine Cyber War Part 3: Attacks On Telecom And Critical Infrastructure
Thumbnail
This article discusses the ongoing cyber warfare between Russia and Ukraine, detailing the various cyberattacks targeting telecommunications, critical infrastructure, and technology sectors in both countries. It highlights a range of malicious activities, including attacks on energy enterprises, telecommunication providers, and strategic technology platforms, exemplifying the impact of these digital assaults during the conflict. Affected: telecommunications, critical infrastructure, technology sector

Keypoints :

  • Cyberattacks targeted Ukraine’s energy, telecommunications, and technology sectors during the Russia-Ukraine conflict.
  • APT44 (Sandworm) was involved in extensive attacks against Ukrainian energy companies, disrupting heating services in Lviv.
  • Malware dubbed “FrostyGoop” was used in attacks against critical infrastructure and was designed to interact with industrial control systems (ICS).
  • CyberArmyofRussia_Reborn (CARR) attacked water infrastructure in Texas and Poland, manipulating human-machine interfaces (HMIs).
  • The Cyber.Anarchy.Squad (C.A.S) targeted Russian organizations involved in supporting the conflict, notably IIS, a SCADA systems provider.
  • Solntsepek disrupted services of four Ukrainian internet service providers, obtaining sensitive databases as well.
  • APT44 caused a significant outage for Kyivstar, Ukraine’s largest telecommunications provider, affecting millions.
  • Pro-Ukrainian hacktivist groups have launched attacks on Russian platforms like Roseltorg and Nodex, exfiltrating data and disrupting services extensively.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The attackers used Modbus commands in their network compromises involving SCADA operations.
  • T1046 – Network Service Scanning: Attackers scanned for vulnerable, internet-exposed devices, such as MikroTik routers and Weintek HMIs.
  • T1167 – Kerberos Tickets: APT44 utilized compromised employee accounts to gain lateral movement across Kyivstar’s network.
  • T1025 – Data from Information Repositories: Attackers extracted and exfiltrated sensitive data from targeted systems including SCADA networks.
  • T1070.001 – Indicator Removal on Host: Used the WhiteCat log cleaner to erase traces of unauthorized activity.

Indicator of Compromise :

  • [Domain] example[. ]com (specific domains not identified)
  • [Malware] FrostyGoop
  • [Malware] AcidPour
  • [Malware] POEMGATE
  • [Malware] WhiteCat

Full Story: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-ukraine-cyber-war-part-3-attacks-on-telecom-and-critical-infrastructure/