Security News > 2022 > September > Russian Sandworm hackers pose as Ukrainian telcos to drop malware
The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.
Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.
Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.
Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT onto critical Ukrainian systems.
Another spoofed Ukrainian telecommunication services provider is Kyivstar, for which Sandworm uses the facades "Kyiv-star[.]ddns[.]net" and "Kievstar[.]online."
Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are "Lost in the noise."
News URL
Related news
- Russian ISP confirms Ukrainian hackers "destroyed" its network (source)
- Russian Turla hackers hit Starlink-connected devices in Ukraine (source)
- Russian cyber spies hide behind other hackers to target Ukraine (source)
- Ukrainian Minors Recruited for Cyber Ops and Reconnaissance in Russian Airstrikes (source)
- Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (source)
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)
- Ukrainian hacker gets prison for infostealer operations (source)
- North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign (source)
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)