Cyberattacks Disrupt Ukrainian Telecommunications Amid Ongoing Conflicts
Recent reports from the Computer Emergency Response Team of Ukraine (CERT-UA) indicate that threat actors have compromised the operations of at least 11 telecommunications service providers in Ukraine between May and September 2023. This wave of cyber intrusions is being tracked under the designation UAC-0165, with CERT-UA highlighting significant service interruptions for customers as a direct consequence of these attacks.
The attack methodology suggests that the initial phase involved reconnaissance efforts, during which attackers scanned telecommunications networks to identify vulnerable RDP or SSH interfaces that could serve as entry points. CERT-UA specified that both reconnaissance and exploitation activities were conducted from servers previously compromised, particularly within the Ukrainian segment of the internet. The utilization of proxy servers, including Dante and SOCKS5, facilitated the routing of traffic through compromised nodes, complicating the tracing of malicious activities.
Notably, the intrusions are characterized by the deployment of two specialized tools, POEMGATE and POSEIDON, which enable the theft of credentials and remote control over the compromised hosts. To obfuscate their activities, attackers employed a utility called WHITECAT, designed to erase forensic traces of the intrusion. Additionally, the attackers managed to maintain persistent unauthorized access to the providers’ infrastructure through the use of legitimate VPN accounts that lacked robust multi-factor authentication protections.
The aftermath of a successful breach often involves efforts to disable critical network and server equipment, with a particular focus on Mikrotik devices and associated data storage systems. These incidents come at a time when CERT-UA has also reported four separate phishing campaigns executed by a hacker group it refers to as UAC-0006, leveraging SmokeLoader malware in early October 2023.
The attackers have been utilizing legitimate compromised email accounts to disseminate malicious software, which is introduced to systems in multiple ways. CERT-UA outlined that the primary target of these phishing attempts appears to be accountants’ computers. The attackers aim to steal sensitive authentication data or tamper with financial document details within remote banking systems, thereby facilitating unauthorized transactions.
Given the complexity and coordination of these cyberattacks, they align with several tactics identified in the MITRE ATT&CK framework. Techniques such as initial access through exploitation of valid accounts, persistence by using compromised VPN credentials, and privilege escalation to disable system control are critical components of the adversaries’ strategies. Business owners and tech leaders should remain vigilant against such threats, ensuring their cybersecurity measures encompass robust authentication protocols and thorough network monitoring.
As the geopolitical landscape continues to evolve, the implications of these cyberattacks extend beyond immediate disruptions, potentially affecting broader economic stability and operational security in the region. Therefore, ongoing vigilance and proactive cybersecurity strategies are essential for both the affected telecommunications providers and their clients.
