Russia’s Sandworm hacking unit targets Ukrainian telecom providers


The infamous Russian state hacking group known as Sandworm has targeted at least eleven Ukrainian internet and telecom providers since May, according to a recent report from Ukrainian cybersecurity authorities.

The attacks led to service interruptions and potential data breaches, said Ukraine’s computer emergency response team, CERT-UA.

Hackers often target telecom providers in both Russia and Ukraine to disrupt communications and internet access amid the ongoing war. Most reported cyberattacks have not caused major shutdowns, and are often resolved within a few hours.

In the recent attacks on Ukrainian telecom providers carried out between May and September, Sandworm used various malware, including Poemgate and Poseidon to steal credentials and control infected devices, as well as Whitecat to erase any forensic traces.

In addition, the hackers exploited compromised VPN accounts that weren’t protected by multi-factor authentication to infiltrate the victims’ networks.

The threat actors stole documents, schemes, contracts, and passwords from the targets’ official social media accounts in order to make this information public or use it for the promotion of their attacks.

In the final phase of the attack, they disabled active network and server equipment, as well as data storage systems, according to CERT-UA.

Attacks on Ukrainian telecom providers

During the war with Russia, Ukrainian telecom and internet providers faced both physical and digital attacks. In the first year of the war, the Ukrainian telecommunications industry incurred an estimated $2.3 billion in losses, as reported by the World Bank.

Cyberattacks played a small role in the broader destruction of cell towers, fiber cables, and offices of Ukrainian telecom companies.

In March of last year, Ukraine’s major mobile and broadband internet provider, Ukrtelecom, suffered a powerful cyberattack that briefly disrupted its services. The company said it partnered with major cybersecurity firms, including Microsoft, Cisco, Palo Alto, Cloudflare, and ISSP, to prevent future intrusions.

During that same month, another Ukrainian telecom company, Triolan, experienced a cyberattack that reset some of its internal systems.

Russian hackers also targeted several small internet providers, such as Znet, Corbina, Uarnet and Kopiyka.

Ukraine’s largest mobile carrier, Kyivstar, reported a massive distributed denial-of-service (DDoS) attack that lasted nearly 30 hours. The company has also faced attacks aimed at stealing users’ personal data.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Five Eyes intelligence chiefs warn of ‘sharp rise’ in commercial espionage

Next Post

Russia wants to isolate its internet, but experts warn it won’t be easy

Related Posts

Microsoft, OpenAI move to fend off genAI-aided hackers — for now

Of all the potential nightmares about the dangerous effects of generative AI (genAI) tools like OpenAI’s ChatGPT and Microsoft’s Copilot, one is near the top of the list: their use by hackers to craft hard-to-detect malicious code. Even worse is the fear that genAI could help rogue states like Russia, Iran, and North Korea unleash unstoppable cyberattacks against the US and its allies.The bad news: nation states have already begun using genAI to attack the US and its friends. The good news: so far, the attacks haven’t been particularly dangerous or especially effective. Even better news: Microsoft and OpenAI are taking the threat seriously. They’re being transparent about it, openly describing the attacks and sharing what can be done about them.To read this article in full, please click here
Omega Balla
Read More

Alert: New Stealthy “RustDoor” Backdoor Targeting Apple macOS Devices

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023. The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures. The exact initial access pathway used to propagate the implant is currently not known, although
Read More