The Computer Emergency Response Team of Ukraine (CERT-UA) has published a description of attacks against telcos by Russian state-sponsored hackers. At least 11 telcos were affected since May, and the impact includes interruptions of service for customers. This information was shared to encourage Ukrainian telcos to harden their security.
The methods used by the hackers begin with obtaining a general overview of their target by scanning subnetworks using a common set of network ports and the Masscan utility. More specialized software is then used to probe web applications such as billing, customer care systems, and websites.
Backdoors are installed and are used over time to gather the authentication credentials of administrators. This information is then used to gain access to more servers and network equipment. The final stage of an attack concentrates on disabling active network equipment and data storage systems. Backup copies of system configurations are deleted in order to delay the restoration of services.
The affected telcos were not named but CERT-UA did identify the attackers as UAC-0165, a Russian outfit that is also known as ‘Sandworm’. Sandworm is operated by Military Unit 74455, part of the foreign intelligence service of Russia’s armed forces. They have been associated with numerous attacks over their history, including interference in French elections in 2017 and the opening ceremony of the 2018 Winter Olympic Games in South Korea. Previous Sandworm attacks on Ukraine include repeated attempts to bring down electricity grids and other utilities.
The CERT-UA bulletin with specific details about the code used by Sandworm is found here.



