Russia’s APT44 launched a major assault on Ukrainian critical infrastructure in March, targeting 20 sites in a bid to amplify the impact of missile strikes on the war-torn country, according to Ukraine’s CERT.
The blitz impacted energy, heating and water facilities in 10 regions of the country, said CERT-UA in a report. It claimed at least three supply chains were breached in a bid to either deliver compromised software updates or use third-party credentials to access targeted networks.
Two new backdoors, “Biasboat” and “Loadgrip,” were discovered as part of CERT-UA’s investigation. These are Linux versions of a previously known backdoor dubbed “Queueseed.”
The use of Queueseed and another piece of malware, Gossipflow, enabled CERT-UA to attribute the attack to APT44 (aka Sandworm), which has been a prolific Russian actor in the conflict to date – launching both cyber-espionage and destructive attacks. It was recently assigned an APT moniker by Mandiant.
Gossipflow can be used to exfiltrate data and deliver secure command-and-control communications.
Read more on APT44: Ukraine Blames Russian Sandworm Hackers for Kyivstar Attack
“In the period from 07.03.2024 to 15.03.2024, CERT-UA specialists took measures to inform all identified enterprises and investigate and counter cyber threats in the relevant ICS, as part of which the circumstances of the primary compromise were established, malicious software was removed and analyzed, a chronology of the incident events was constructed, assistance was provided in the configuration of server and active network equipment, and security technology was installed,” the report continued.
However, the CERT’s ability to mitigate the impact of the attacks was limited by poor cyber-defensive practices on the part of the organizations targeted. Specifically, it complained of a lack of adequate network segmentation and supplier negligence which enabled APT44 to exploit remote code execution (RCE) vulnerabilities in third-party software.