Sandworm-linked group likely knocked down Ukrainian internet providers
Russian state-backed hackers are likely behind recent attacks on four small Ukrainian internet providers, disrupting their operations for more than a week.
A group known as Solntsepek claimed responsibility for the incidents on its Telegram channel last week. Ukrainian officials told Recorded Future News that evidence implicates the group, which is also believed to be behind the 2023 cyberattack on Ukraine’s largest telecommunication provider, Kyivstar.
A spokesperson for Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) said that the agency is tracking the threat actor behind the attack as UAC-0165 — the indicator used for a subgroup of Sandworm, a hacking operation run by Russia’s military intelligence agency, the GRU.
A spokesperson for Ukraine’s State Security Service (SBU) said that the investigation is still ongoing, but there are many indicators suggesting that Solntsepek was indeed behind the hack.
The targets in last week’s attack included Triacom, Misto TV, Linktelecom and KIM, which, according to hackers, provide internet services to government agencies and parts of the Ukrainian armed forces. Those providers are relatively unknown in Ukraine, making it difficult to verify the hackers' claim.
Slow restoration
The group said on Telegram that during the attack, they disrupted the work of the targeted internet providers and obtained their client databases and internal documentation. None of the affected providers responded to Recorded Future News' request for comment.
Triacom said in a statement on its website that its specialists are working “around the clock to restore the network that has been built over the span of 20 years.” “It is a complex process,” the statement reads. According to the latest information, Triacom managed to restore half of its network.
Another affected provider, KIM, stated on Thursday that it has already restored access to its internet, payment, and streaming services. However, its website is down as of the time of writing.
Kyiv-based Misto-TV said on Tuesday that it’s still working to restore its services. “The consequences of the hacker attack turned out to be more serious than we expected, so the restoration of the company's services may take several more days,” the company added.
The fourth affected provider, Linktelecom, did not make any announcements regarding the attack.
According to data posted by Doug Madory, the director of internet analysis for the U.S. network-monitoring company Kentik, web traffic for the affected companies was disrupted on March 13 and was gradually recovering in the subsequent days.
Links to @IODA_live graphics that capture the outages:https://t.co/nmulEk4ZLChttps://t.co/FvyBaG7PYXhttps://t.co/4trADJQAWAhttps://t.co/mGnQcblra2https://t.co/6X0RO4Unq3 pic.twitter.com/XvKHQ4NA3Q
— Doug Madory (@DougMadory) March 20, 2024
Possible wiper deployment
According to a report published by cybersecurity firm SentinelLabs on Thursday, the attack on the Ukrainian internet providers coincided with the discovery of a new malware variant called AcidRain, which was used by Russia to attack the satellite company Viasat at the beginning of the invasion of Ukraine.
This hack disabled thousands of satellite modems throughout the country and other parts of Europe, leading to the malfunction of thousands of wind turbines in Germany.
The new malware, which the researchers called AcidPour, is likely linked to Russian military intelligence (GRU) hackers.
AcidPour is a Linux wiper that has expanded its capabilities beyond AcidRain, allowing it to inflict more damage on affected devices, according to the report.
One of the most interesting aspects of AcidPour is its coding style, reminiscent of the CaddyWiper malware, which was used against Ukrainian targets, SentinelLabs said. AcidPour is written in the programming language C and is self-contained; for example, it doesn't rely on precompiled pieces of code.
The transition from AcidRain to AcidPour underscores the hackers’ improved technical capabilities and “the strategic intent to inflict significant operational impact,” according to researchers.
SentinelLabs said that earlier this week Ukraine’s computer emergency response team, CERT-UA, confirmed its findings and attributed the activity to UAC-0165. This group commonly targets Ukrainian critical infrastructure, including telecommunications, energy, and government services.
In October, CERT-UA released a report stating that UAC-0165 is responsible for the disruptive attacks on at least 11 Ukrainian internet providers. During these campaigns, the hackers used malware samples tracked as Poemgate, Whitecat, and Poseidon.
SentinelLabs said that it cannot finally confirm that the threat actor AcidPour was responsible for attacking the four mentioned ISPs, but the duration of the disruption suggests a more complex attack than a simple DDoS or nuisance disruption. Ukraine’s security services declined to provide more details on the attack.
We are seeing reports this past week of disruption to Ukrainians ISPs. The involvement of AcidPour is unconfirmed but could fit the bill. 'Hacktivist' group taking credit for whatever that's worth ¯\_(ツ)_/¯https://t.co/8xlYbOuUbu
— J. A. Guerrero-Saade (@juanandres_gs) March 20, 2024
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.