Recorded Future details Russia APT group UAC-0113 emulating telecommunication providers across Ukraine
Recorded Future released a Monday report that profiles the unique infrastructure used by the threat hacker group UAC-0113, which is linked with moderate confidence by the Computer Emergency Response Team of Ukraine (CERT-UA) to the Russian advanced persistent threat (APT) group Sandworm. The report focuses on the trends observed by Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows the group’s efforts to target entities in Ukraine remain ongoing.
According to a blog post, from August 2022, Recorded Future observed a steady rise in command and control (C2) infrastructure used by the threat hacker group tracked by CERT-UA as UAC-0113. The activity was identified through large-scale automated network traffic analytics and analysis derived from open-source reporting. In addition, the post added adds that domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.
“Using a combination of proactive adversary infrastructure detections and domain analysis techniques, Insikt Group determined that UAC-0113’s use of this newly discovered infrastructure overlaps with other infrastructure tactics, techniques, and procedures (TTPs) previously attributed to the group by CERT-UA,” the post said. “The information and TTPs provided in this report enable defenders to better search for and protect against activity by UAC-0113,” it added.
Insikt Group used intelligence provided by CERT-UA to discover further infrastructure linked to UAC-0113, the post said. The information uncovered suggests that it is highly likely that this threat group is continuing to masquerade as telecommunication providers operating within Ukraine. Furthermore, while monitoring the infrastructure, Insikt Group observed a malicious ISO file embedded in the HTML code, suggesting that domains and related IP addresses have likely already been, or are soon to become, operationalized, it added.
The Sandworm is a Russian APT group affiliated with the Main Intelligence Directorate/Main Directorate (GRU/GU) of the General Staff of the Armed Forces of the Russian Federation. The Recorded Future report will be of most interest to individuals engaged in strategic and operational intelligence relating to the activities of the Russian government in cyberspace and network defenders.
The Recorded Future post said that identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploys Colibri Loader and Warzone RAT malware.
“Though the intent of the observed decoy document found in connection with this activity is not fully known, it’s likely to be deployed against Ukraine-based targets in support of military action in the region similar to previous UAC-0113 lures,” the post identified. “A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” it added.
In June, a report by CERT-UA detailed the use of the DarkCrystal remote access trojan (RAT) by UAC-0113, a group CERT-UA has indicated as being linked to Sandworm, a Russian GRU/GU-related threat group. The CERT-UA report indicated that UAC-0113 was employing a malicious lure document that deployed DarkCrystal RAT. “This activity likely targeted entities in Ukraine, specifically individuals or entities seeking information about Ukrainian military service personnel in relation to matters of legal assistance,” it added.
Although the ‘lure document’ theme was focused on military personnel legal matters, CERT-UA noted that the attack was also likely targeted at telecommunications providers of Ukraine, the post added.
DarkCrystal RAT is a commodity malware dating back to at least 2018. Since its initial discovery, reporting indicates that it has been offered for sale in underground forums, likely making it a tool of interest to various groups, including those entities seeking an ‘infostealer’ that can hinder attribution efforts by government or security professionals. Additionally, an analysis of infrastructure linked to UAC-0113 uncovered a newly identified malicious ISO file as part of an HTML smuggling technique.
“The ISO file contained a lure document, written in Ukrainian, that masquerades as a request for discounts on fuel for citizens of the Oleksandrivka Raion (district), an area in Donetsk,” Recorded Future said. Additionally, the ISO file delivers an executable that deploys both Colibri Loader and Warzone RAT to the target machine.
The Recorded Future report said that a domain noted in CERT-UA’s June report on UAC-0113, datagroup[dot]ddns[dot]net, was likely masquerading as the Ukrainian telecommunications company Datagroup. “This domain resolved to the IP address 31[dot]7[dot]58[dot]82, which also hosted a further domain, kyiv-star[dot]ddns[dot]net, likely masquerading as the Ukrainian telecommunications company Kyivstar. Analysis of these domains and their related shared IP address revealed a ZeroSSL TLS certificate hosted on port 443 with the Subject Common Name datagroup[dot]ddns[dot]net. No certificate for kyiv-star[dot]ddns[dot]net was found,” it added.
“Insikt Group identified further domains likely linked to UAC-0113, ett[dot]ddns[dot]net, hosted between July 7 and 15, 2022, on IP address 103[dot]150[dot]187[dot]121,” the report said. “The domain ett[dot]ddns[dot]net is likely a spoof of the legitimate domain for EuroTransTelecom LLC, ett[dot]ua, a Ukrainian telecommunications operator. This new infrastructure has several overlaps with the infrastructure noted in the CERT-UA reports, such as the use of the Dynamic DNS provider NO-IP with a domain masquerading as a telecommunications provider operating in Ukraine, the use of a TLS certificate from a free TLS certificate provider, and a server banner that shares similarities with the banner seen on IP address 31[dot]7[dot]58[dot]82,” it added.
The report also said that on Aug. 1, 2022, SecurityTrails identified further updates to the IP address 103[dot]150[dot]187[dot]121, listing a new TLS certificate for the domain ett[dot]hopto[dot]org. “This TLS certificate is also provided by ZeroSSL and was created on July 13, 2022. On July 13, 2022, the domain ett[dot]hopto[dot]org resolved to the IP address 217[dot]77[dot]221[dot]199. Further analysis of this IP address also details the resolution of the domain, star-link[dot]ddns[dot]net, on August 15, 2022, again likely spoofing a telecommunications company, Starlink (operated by American manufacturer SpaceX), which is reportedly assisting Ukraine in the conflict with Russia,” it added.
Insikt Group continues to track UAC-0113 infrastructure observing changes in TTPs as its operations diversify across Ukraine, with a significant focus on telecommunication providers. In addition, there has been a notable continuation of the use of publically available commodity malware, showing UAC-0113 adapting its operations with a willingness to use a variety of tooling.
ESET researchers collaborated with CERT-UA in April to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used industrial control system (ICS)-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems.
Cybersecurity vendor Trellix provided details in its latest report on the evolution of Russian cybercrime, threats to critical infrastructure, and email security, besides recent research into vulnerabilities found in building access control systems and risks unique to connected healthcare. It also said that business services have emerged as the top target for ransomware attacks.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
