Sandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave

Sandworm

The CERT-UA (Computer Emergency Response Team of Ukraine) has issued an urgent alert regarding escalated cyber activities by the notorious Russia-backed Sandworm APT group, also identified under aliases like UAC-0133, UAC-0002, APT44, or FROZENBARENTS. This group, active for over a decade, has intensified its cyber operations against Ukraine, particularly targeting the nation’s public sector and critical infrastructure.

On April 19, 2024, CERT-UA disclosed evidence of a sophisticated cyber sabotage plan orchestrated by Sandworm aimed at disrupting information and communication technology (ICT) systems across multiple critical sectors including energy, water, and heating services. The attack spans across ten regions of Ukraine, underscoring the strategic and widespread nature of this threat.

This latest attack wave highlights Sandworm’s dangerous evolution. In addition to their tried-and-tested QUEUESEED malware, they’ve deployed new weapons:

  • LOADGRIP: Launches malicious payloads by injecting code into running processes.
  • BIASBOAT: A Linux version of QUEUESEED, targeting industrial control software
  • GOSSIPFLOW: Establishes hidden tunnels to maintain control over compromised systems.

Analysts believe this expanded toolkit reveals an intent to cause maximum disruption to Ukraine’s critical infrastructure.

One of the unique aspects of the recent Sandworm campaign is the use of the BIASBOAT malware, delivered as an encrypted file tailored to individual servers, utilizing pre-acquired “machine-id” values. This bespoke approach indicates a high level of customization and sophistication in the cyber attacks.

CERT-UA’s investigations have uncovered at least three compromised supply chains. These include installations of custom software laden with backdoors and other vulnerabilities, often facilitated by suppliers with system maintenance access. This access vector not only breaches initial defenses but also enables lateral movement across corporate networks. Notably, compromised systems also housed tools like WEEVELY web shells and REGEORG.NEO or PIVOTNACCI PHP tunnels for further exploitation.

In addition to Linux-targeted tools, Windows systems have been compromised using QUEUESEED and GOSSIPFLOW malware, the latter functioning as a SOCKS5 proxy to establish secure tunnels. The presence of such malware on computers, especially those linked to water supply facilities, highlights the destructive intentions of these attacks.

Other tools employed by Sandworm include CHISEL, LIBPROCESSHIDER, JUICYPOTATONG, and ROTTENPOTATONG, which are part of a broader strategy to perpetrate targeted attacks. Such tools are designed to evade detection, hide processes, and gain administrative privileges.

Sandworm’s assault on Ukraine is a stark reminder that state-sponsored hackers are constantly refining their tactics. Critical infrastructure is now firmly in their crosshairs, making robust cyber defenses a matter of national security.