GRU-affiliated Russian hackers targeted 20 Ukrainian critical infrastructure facilities in March 2024, Ukraine’s Computer Emergency Response Team (CERT-UA) has disclosed.
The cyber attacks targeted energy, heating, and water facilities in 10 Ukrainian regions. CERT-UA believes they intended to enhance the effectiveness of the Russian military’s missile strikes on the targeted facilities.
Russian hackers exploited supply chains to breach Ukraine’s critical infrastructure
The Ukrainian cyber authority disclosed that Russian hackers exploited at least three supply chains to deliver infected software updates or leveraged third-parties’ privileged access for maintenance and technical support.
Upon discovery, the Ukrainian cyber authority investigated all the incidents, notified impacted critical infrastructure organizations, and assisted them in configuring their networks.
Additionally, the Ukrainian cyber defenders analyzed and removed infected software. They discovered two Linux backdoors, “Biasboat” and “Loadgrip,” derived from the “Queueseed” (also known as Knuckletouch, wrongsen, IcyWell, or Kapeka) backdoor.
Ukraine’s cyber authorities have tracked Kapeka since 2022 when Russian hackers first deployed the malware for destructive cyber attacks targeting water supply facilities. The variant was also used outside Ukraine in Poland to target transportation and logistics services.
Biasboat operates as an encrypted file server alongside LoadGrip, a C-based payload injector that encrypts using a machine’s unique identifier.
In contrast, Queueseed is a C++-based Windows-specific backdoor with remote code execution (RCE) capabilities. It collects system information, such as the computer’s operating system, language, and username. It executes instructions from the attackers’ command-and-control (C2) server and sends results in JSON format encrypted in RSA and AES.
Queueseed can also handle file operations, including deleting itself to conceal the threat actor’s activity on compromised systems. It stores its encrypted configurations in the Windows registry and creates automated tasks for unattended execution to establish persistence.
Ukraine cyber defenders also detected GOSSIPFLOW, a malicious program developed using the Go programming language. The malware provides tunneling functionality using the Yamux multiplexer library and acts as a SOCKS5 proxy.
Other tools in the Russian hackers’ arsenal included Chisel, LibProcessHider, JuicyPotatoNG, and RottenPotatoNG.
“The combination of new tools being used, alongside free and open-source tools, shows they’re interested in avoiding detection while conserving previously unused payloads,” said Matt Sparrow, senior intelligence operations analyst at Centripetal.
The Russian hacking group Sandworm, also known as APT44, BlackEnergy, Seashell Blizzard, and Voodoo Bear, frequently deploys the Queueseed backdoor. The presence of this malware attributed Sandworm to the cyber attacks on Ukrainian critical infrastructure facilities.
The group is closely linked to Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). According to a Mandiant report, Sandworm has been associated with cyberespionage, destructive attacks, and information warfare in North America, Europe, the Middle East, Asia, and Latin America.
APT44 has also been used in attempts to subvert democratic processes to advance Russia’s geopolitical objectives. The report says Sandworm’s operations integrate better with Russia’s conventional forces than any other group.
“Sandworm is a very capable threat actor, and it’s now clear that all of their previously identified capabilities were in line with what everyone suspected,” Sparrow continued. “They’ve been preparing to leverage those capabilities during a time of war to delay, disrupt, or destroy the capabilities of their targets.”
Poor cybersecurity practices of critical infrastructure organizations
The Ukrainian cyber defenders blamed the impacted critical infrastructure organizations for poor cybersecurity practices, which enabled Russian hackers to gain access and hampered a proper incident response.
Notably, CERT-UA highlighted improper or lack of network segmentation, which allowed the attacks to spread. Similarly, they lambasted third-party software suppliers’ negligence leading to applications with trivial vulnerabilities that allowed remote code execution exploited by Russian hackers.
Since 2022, Russia has aggressively targeted Ukraine’s critical infrastructure with kinetic strikes and destructive cyber attacks to force the country into submission. In April 2022, Russian hackers attempted to wipe data across Ukraine’s substations to disrupt power distribution.