Sandworm
APT44
Russian hackers, Sandworm, target Ukraine's 20 critical infrastructure orgs. Pow...
Ukraine yet again reportedly suffered a severe cyber threat from the notorious Russian hacker group Sandworm, also known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44.
These attackers, believed to be associated with Russia's GRU, targeted approximately 20 critical infrastructure facilities, including energy, water, and heating suppliers.
The attacks aimed to disrupt operations, posing a significant risk to Ukraine's national security and stability.
### Attack Methodology
Sandworm leveraged a combination of sophisticated techniques to infiltrate and compromise the targeted networks.
One notable approach involved poisoning the software supply chain to deliver compromised or vulnerable software to the organizations.
Additionally, the hackers exploited the technical support access of software providers to gain unauthorized entry into the systems.
### Malware and Tools
Sandworm deployed a variety of malware and tools to carry out its attacks effectively. Notable malware includes:
- **QUEUESEED/IcyWell/Kapeka**: A C++ backdoor for Windows used to collect system information and execute remote commands. It establishes secure communications via HTTPS and encrypts data using RSA and AES.
- **BIASBOAT**: A newly emerged Linux variant of QUEUESEED, disguised as an encrypted file server, used alongside **LOADGRIP**.
- **LOADGRIP**: Another Linux variant of QUEUESEED developed in C, utilized to inject payloads into processes using the ptrace API.
- **GOSSIPFLOW**: A Go-based malware on Windows, utilized for setting up tunneling and providing SOCKS5 proxy functionality to exfiltrate data.
### Open Source Tools
Sandworm also leveraged open-source tools such as Weevly webshell, Regeorg.Neo, Pitvotnacci, Chisel tunnelers, LibProcessHider, JuicyPotatoNG, and RottenPotatoNG. These tools aided in maintaining persistence, hiding malicious processes, and elevating privileges on compromised systems.
### Cyber Defense
[CERT-UA](https://cert.gov.ua/article/6278706), the Ukrainian agency, responded to the attacks by engaging in extensive counter-cyber attack operations from March 7 to March 15, 2024.
These operations involved informing affected enterprises, removing malware, and enhancing security measures to mitigate further risks.
### Impact and Motivation
The attacks by Sandworm not only disrupted critical infrastructure operations but also aimed to amplify the impact of potential Russian missile strikes on these facilities. This underscores the strategic nature of the cyber threat, which seeks to undermine Ukraine's stability and national security.
### Attribution and Hacktivist Connections
Mandiant's recent revelation of [Sandworm's connection to hacktivist-branded Telegram](https://www.secureblink.com/cyber-security-news/russian-hackers-infiltrate-water-systems-as-hacktivists) groups adds another layer to the complexity of the threat landscape.
This connection highlights the potential collaboration between state-sponsored threat actors and hacktivist entities, further complicating cybersecurity efforts.