A hacker organization has been launching attacks on Ukrainian telecom services since the beginning of the year — so far managing to strike 11 different companies.
Their attacks have caused significant disruption to the customers of these companies. Specifically interrupting the provision of services to users, as outlined in a recent press release. The Computer Emergency Response Team of Ukraine (CERT) identified the hacker organization as UAC-0165.
Researchers discovered the same pattern appeared in every one of their attacks. The hacks first came from networks that were previously compromised. First, they’d use software like ffuf, nmap, or dirbuster to probe for open network ports.
“To route traffic through such nodes, dante, socks5 and other proxy servers are used,” explains CERT.
After compromising a port, the hackers will employ applications like POEMGATE to save the logins and passwords of whoever enters their information during the authentication process. The goal was to search for logins that would give them access to important files
After gaining administrative control, they’d employ tools like POSEIDON to gain complete remote access and control over the systems. The entire process resulted in lateral movement across the entire company.
“At the final stage of a cyber attack, active network and server equipment, as well as data storage systems are disabled,” CERT-UA explains in a press release. “This is facilitated by the use of the same passwords and unlimited access to the control interfaces of this equipment.”
They stay undetected during the process, the group would use the WHITECAT tool, masking their unauthorized access.
“It should be borne in mind that a properly investigated incident increases the likelihood of preventing the implementation of cyber threats at other facilities of our state,” said CERT.
The CERT also urges any companies that have noticed any signs of threat actors on their systems to contact them, so they can launch proper investigations into the matter.