Russia’s Sandworm hacking unit targets Ukrainian telecom providers

The infamous Russian state hacking group known as Sandworm has targeted at least eleven Ukrainian internet and telecom providers since May, according to a recent report from Ukrainian cybersecurity authorities.

The attacks led to service interruptions and potential data breaches, said Ukraine’s computer emergency response team, CERT-UA.

Hackers often target telecom providers in both Russia and Ukraine to disrupt communications and internet access amid the ongoing war. Most reported cyberattacks have not caused major shutdowns, and are often resolved within a few hours.

In the recent attacks on Ukrainian telecom providers carried out between May and September, Sandworm used various malware, including Poemgate and Poseidon to steal credentials and control infected devices, as well as Whitecat to erase any forensic traces.

In addition, the hackers exploited compromised VPN accounts that weren't protected by multi-factor authentication to infiltrate the victims' networks.

The threat actors stole documents, schemes, contracts, and passwords from the targets' official social media accounts in order to make this information public or use it for the promotion of their attacks.

In the final phase of the attack, they disabled active network and server equipment, as well as data storage systems, according to CERT-UA.

Attacks on Ukrainian telecom providers

During the war with Russia, Ukrainian telecom and internet providers faced both physical and digital attacks. In the first year of the war, the Ukrainian telecommunications industry incurred an estimated $2.3 billion in losses, as reported by the World Bank.

Cyberattacks played a small role in the broader destruction of cell towers, fiber cables, and offices of Ukrainian telecom companies.

In March of last year, Ukraine's major mobile and broadband internet provider, Ukrtelecom, suffered a powerful cyberattack that briefly disrupted its services. The company said it partnered with major cybersecurity firms, including Microsoft, Cisco, Palo Alto, Cloudflare, and ISSP, to prevent future intrusions.

During that same month, another Ukrainian telecom company, Triolan, experienced a cyberattack that reset some of its internal systems.

Russian hackers also targeted several small internet providers, such as Znet, Corbina, Uarnet and Kopiyka.

Ukraine's largest mobile carrier, Kyivstar, reported a massive distributed denial-of-service (DDoS) attack that lasted nearly 30 hours. The company has also faced attacks aimed at stealing users' personal data.