Security News > 2022 > September > Russian Sandworm hackers pose as Ukrainian telcos to drop malware

Russian Sandworm hackers pose as Ukrainian telcos to drop malware
2022-09-19 18:50

The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.

Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.

Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.

Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT onto critical Ukrainian systems.

Another spoofed Ukrainian telecommunication services provider is Kyivstar, for which Sandworm uses the facades "Kyiv-star[.]ddns[.]net" and "Kievstar[.]online."

Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are "Lost in the noise."


News URL

https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-pose-as-ukrainian-telcos-to-drop-malware/