Since May, the Russian group SandWorm breached 11+ Ukrainian telecoms.

The ongoing conflict between Russia and Ukraine extends beyond conventional weaponry, encompassing cyber threats, and attacks on Ukrainian telecoms as well.

In a discovery; over eleven Ukrainian telecommunication services have been compromised between May and September 2023 by threat actors. The information, which was tracked by the Government Emergency Response Team of Ukraine (CERT-UA), together with one measure, indicates that an organized group of black hats, tracked by the UAC-0165 identifier, gained unauthorized access to at least 11 telecommunication services in Ukraine, resulting in a mirage of incidents, including the disruption of services.


                                     Russian attackers utilizing sandworm on Ukrainian teleco’s networks. Image-source: BleepingComputer


Further investigation, resulted into findings of how the attack was conducted on the Ukrainian telecoms, indicating the tactics, techniques, and procedures in which the threat actors utilized in implementing the cyber-attack at a list of related enterprises.



The threat actors initiated the sandworm attack with active reconnaissance, scanning the provider’s subnets (standalone system) using a standard set of network ports via the Masscan tool. Its major purpose, is to look for unprotected services (e.g. RDP, SSH)that is listening in an open port, and then leverage it in circumventing the service.


                                                                                Sample of the Masscan configuration file. Image-source: CERT-UA


In addition to hacking tools, the threat actors refrain from restricting themselves and make use of publicly available information and services, like web applications, to acquire billing details, personal user office information, hosting servers (including websites), and more.

                                   Sample of script to run Masscan with a list of network service ports. Image-source: CERT-UA


Once these information’s are obtained, the threat actor, proceeds to exploit it further with advanced tools such as ffuf, dirbuster, gowitness, and nmap.

Researchers at Cert-UA noted that:

“The exploration and operation activity is carried out from pre-compromised servers located, in particular, in the Ukranian segment of the internet network. Proxy servers are used to route traffic through such nodes this, socks5, and others”


  • A common tactic in hosting servers:

threat actors install a PAM module called POEMGATE (Privilege Access Management) to authenticate passwords and save the credentials as files in XOR-encoded forms. This acts as a pre-set backdoor, providing threat actors with ongoing recent authenticated data from administrators, which they use to breach other servers and network infrastructure.


Sample of the decompiled POEMGATE code written in C/C++ language. Image-source: CERT-UA
  • The next phase:

The threat actors replaces “/bin/false”, “/bin/nologin” with “bash”, in other to bypass restricted settings.


  • The use of WHITECAT UTILITY:

Threat actor then eliminates the sign of unauthorized access, by starting the WHITECAT utility.


  • Installing POSEIDON:

A version of the POSEIDON program (“/lib/x86_64-linux-gnu/”) can be installed on the server that comprises of a list of EOM (End-Of-Message) control tools. The tool POSEIDON in other to have some persistence, replaces the legitimate binary file “/usr/sbin/cron”


Sample of the modified cron code (written in C/C++) which executes “RunMain” to run POSEIDON. Image-source: CERT-UA


  • Weevely backdoor:

By Utilizing the method above, and resulting into a successful compromise, a Weevely backdoor is downloaded into the web server. The server if then found within range of the ISP (Internet Service Provider), and consist of an internal interface, is then used to launch an attack on the DMZ/local network.


  • unauthorized access:

The threat actor gains unauthorized access, by using specialized programs such as VPN accounts, which has no multi-factor authentication as a result of disposable code from the application. A tell sign that the VPN has been compromised involves the connecting to TOR IP addresses, and VPN services located as Ukrainian’s.


  • penetrating the ICS:

A successful penetration of the ICS (Industrial Control Systems), indicates the threat actor prioritize finding jump hosts, computer system administrators for lateral movement within the network, and alter access control lists of the network equipment.


  • Sensitive Information Exfiltrated:

The Attacker is now able to exfiltrate documents, drawings, contracts, and other sensitive information. In ensuring the effect of the compromise, and gaining public attention, the threat actor ascends its damage by stealing passwords of official accounts such as Telegram, Facebook, as well as SMS tokens. It’s recommended to implement multi-factor authentication on these accounts.


  • Infrastructures are Disabled:

The threat actor at the final stage of the attack disables Infrastructures comprising of active network, servers, and storage systems. This was possible due to weak passwords and unrestricted acess to the control interfaces of the equipment. Also the lack of backup configuration settings defeats the ability to recover from these attacks.


The Analysis, outlines the Threat actors TTP (Tactics, Techniques, and Procedures) employed when aiming at hosting services. Also, the Computer Emergency Response Team of Ukraine (CERT-UA), has released an article titled “How to be responsible and maintain a cyberfront.“, also a list of file Hashes, and Network IP addresses that are tell signs of compromise (IOC’s: ‘Indicator Of Compromises’) were outlined on their official website.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments