Security News > 2022 > September > Russian Sandworm hackers pose as Ukrainian telcos to drop malware
The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.
Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.
Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.
Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT onto critical Ukrainian systems.
Another spoofed Ukrainian telecommunication services provider is Kyivstar, for which Sandworm uses the facades "Kyiv-star[.]ddns[.]net" and "Kievstar[.]online."
Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are "Lost in the noise."
News URL
Related news
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)
- How Russian hackers went after NGOs’ WhatsApp accounts (source)
- Hacker infects 18,000 "script kiddies" with fake malware builder (source)
- EU sanctions Russian GRU hackers for cyberattacks against Estonia (source)
- North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS (source)
- Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)