Security News > 2022 > September > Russian Sandworm hackers pose as Ukrainian telcos to drop malware
The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.
Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.
Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.
Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT onto critical Ukrainian systems.
Another spoofed Ukrainian telecommunication services provider is Kyivstar, for which Sandworm uses the facades "Kyiv-star[.]ddns[.]net" and "Kievstar[.]online."
Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are "Lost in the noise."
News URL
Related news
- Russian Hackers Use 'WINELOADER' Malware to Target German Political Parties (source)
- Russian hackers use new Lunar malware to breach a European govt's agencies (source)
- Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite (source)
- Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware (source)
- China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations (source)
- Vietnam-Based Hackers Steal Financial Data Across Asia with Malware (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- Russian Sandworm hackers pose as hacktivists in water utility breaches (source)
- Russian Sandworm hackers targeted 20 critical orgs in Ukraine (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)