Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
The Ukrainian Computer Emergency Response Team (CERT-UA) disclosed that in March it uncovered a malicious plan of the Sandworm group aimed at disrupting the sustainable functioning of information and communication systems (ICS) of about twenty enterprises in the field of energy, water, and heat supply (OKI) in ten regions of Ukraine. The alert also uncovers compromise instances in supply chains, potentially linked to unauthorized access through software-defined radios or routine technical access granted to supplier employees. The attacks are seen as attempts to enhance the impact of missile strikes on infrastructure facilities in Ukraine.
The Sandworm notice follows UA-CERT article about Sandworm and the latest assumption that the cyberattacks are used as an attempt to disrupt critical infrastructure while missile strikes on infrastructure facilities in Ukraine enhance the destructive effect.
Furthermore, CERT-UA specialists verified instances of compromise in at least three ‘supply chains.’ These incidents were linked to unauthorized access, potentially stemming from the installation of software-defined radios (SDRs) with embedded vulnerabilities or the routine technical access granted to supplier employees for ICS maintenance and support.
CERT-UA assumes that unauthorized access to ICS for a significant number of heat, water, and energy supply facilities should have been used to enhance the effect of missile strikes on infrastructure facilities in Ukraine in the spring of 2024.
Last week, Mandiant released a comprehensive report revealing APT44, also known as Sandworm, Russia’s notorious cyber sabotage unit. APT44 focuses on government, defense, transportation, energy, media, and civil society entities in Russia’s neighboring regions. Recent targets of the group have often included government agencies and critical infrastructure and key resources (CIKR) operators in Poland, Kazakhstan, and Russia.
The agency identified that in the period from 07.03.2024 to 15.03.2024, CERT-UA specialists took measures to inform all identified enterprises and investigate and counter cyber threats in the relevant ICS, within the framework of which the circumstances of the initial compromise were established, malware was seized and analyzed, a chronology of incident events was built, assistance in setting up server and active network equipment, and protection technology was installed (at some LOADGRIP/BIASBOAT enterprises there was created in 2023).
It should be emphasized that the attackers used QUEUESEED and GOSSIPFLOW malware on Windows computers, which have been monitored since 2022 in the context of destructive cyberattacks by the UAC-0133 group on water supply facilities, in particular, using SDELETE. Thus, with a high level of confidence, UAC-0133 is a subcluster of UAC-0002 (Sandworm/APT44).
In addition to the QUEUESEED backdoor (KNUCKLETOUCH, ICYWELL, wrongsens, kapeka) known since 2022, a new toolkit of attackers was detected, namely, malware LOADGRIP and BIASBOAT (Linux variant of QUEUESEED), which were installed on computers (Linux OS), designed to automate process control processes (APCS) using specialized software of domestic production.
The CERT-UA also detailed that BIASBOAT was presented in the form of a file encrypted for a specific server, for which the attackers used the pre-obtained value ‘machine-id.’
Some of the factors that the CERT-UA discovered that facilitated the cyberattacks include inadequate segmentation (lack of isolation) of servers with software-defined radios (SDRs) from suppliers integrated into the process control system. This lack of isolation extended to restricting access to the internet and the ICS of the organizations they serve. Additionally, suppliers’ lax approach to software security was highlighted, with superficial source code analysis revealing basic vulnerabilities enabling remote code execution (RCE).
QUEUESEED is a malicious program crafted using the C++ programming language. It gathers fundamental details about the computer, such as the operating system, language, and user name. The program then carries out commands issued by the control server and transmits the outcomes. Its capabilities include reading/writing files, executing commands either independently or through %COMSPEC%/c, updating configurations, and self-deletion. The program utilizes HTTPS for communication with the management server.
“The data is transmitted in JSON format and encrypted using RSA+AES. The backdoor configuration file, which in particular contains the URL of the management server, is encrypted using AES (the key is statically set in the program), the agency identiifed. “Implemented queue of raw incoming commands/results — stored in the Windows registry in AES-encrypted form (the value %MACHINEGUID is used as the key). The persistence of the backdoor is ensured by a dropper that creates a corresponding scheduled task or entry in the “Run” branch of the Windows registry.”
CERT-UA detailed BIASBOAT as a malicious program (ELF) developed using the C programming language, is a Linux variant of QUEUESEED. Starting on the computer is carried out using the LOADGRIP injector. LOADGRIP is a malicious program developed using the C programming language. The payload is usually presented in encrypted form (AES128-CBC), and the key for its decryption is formed on the basis of the constants statically specified in the code and the value of the “machine-id” of the computer.
GOSSIPFLOW is a malicious program developed using the Go programming language. Provides tunneling (uses the Yamux multiplexer library) and performs the functionality of a SOCKS5 proxy.
In addition to the software tools mentioned for addressing cyber threats, the group utilized various tools, including CHISEL, LIBPROCESSHIDER, JUICYPOTATONG, and ROTTENPOTATONG, among others.
Providing further detail on the cyber threat, Simone Kraus wrote in a Medium post for Detect FYI that the malware, “which we are calling ‘Kapeka,’ is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate.”
She added that the malware’s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity.
“Less than 24 hours later, the Ukrainian CERT published its latest alert about an attempt to disrupt critical infrastructure,” according to Kraus. “Here again the attacker is APT44 and this time it is the backdoor QUEUESEED, which is identical to KAPEKA used in June 2022 in Ukraine (same hash, almost same behavior). Therefore, I decided to translate the current UA-CERT article and enrich it with technical information.”
Kraus pointed out that Mandiant describes six phases of APT44 disruptive operations during the 2022 war in Ukraine and now the 7th phase could be potentially the non-kinetic attempt to disrupt again with the same backdoors like KAPEKA from June 2022 which was used with SDELETE. “Exactly the same hash is now in this article for UAC-0133 the QUEUESEED backdoor with the same technical behavior including the SDELETE,” she added.
“The hash I’ve analyzed for KAPEKA is taken from research by WithSecure where they link the backdoor to Sandworm and which was published 3 days ago,” Kraus added. “In this research you find a great overview how the malware works with a deep dive reverse engineering analysis. I highly recommend to read the report, same for Mandiant’s analysis about APT44.”
In April 2022, ESET researchers collaborated with CERT-UA to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers are said to have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used industrial control system (ICS)-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
