Posts Tagged ‘Sandworm’

Scenes From The Cyberwar In Ukraine

Tuesday, January 9th, 2024

The front lines in Ukraine have been static for the last few months, with Russia grinding away in Avdiivka to little effect and Ukraine having failed to effect further advances. However, there are a few snippets of interest from the ongoing cyberwar, on both sides. I thought it worth taking a look at.

  • First, Russia claimed a successful, long-running penetration of Ukrainian a telecom service.

    Over nearly a decade, the hacker group within Russia’s GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine’s power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

    On Tuesday, a cyberattack hit Kyivstar, one of Ukraine’s largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

    Kyivstar’s CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged [Kyivstar’s] infrastructure [and] limited access.”

    “We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

    The Ukrainian government hasn’t yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia’s GRU.

  • But pro-Ukrainian hackers have managed to strike back, by breaching a Russian Internet provider.

    The pro-Ukrainian hacker group Blackjack is claiming that it breached a Moscow internet provider to seek revenge for a Russian cyberattack on Ukraine’s largest telecom company, Kyivstar.

    The attack on M9com was carried out in cooperation with Ukraine’s security forces (SBU), said a source in Ukraine’s law enforcement agency who requested anonymity because he is not authorized to speak publicly about the incident.

    There isn’t much information available about the attack, and the SBU’s role in the operation. Hackers said Monday on their Telegram channel that they will reveal more details soon. So far, the only confirmation of the incident they have provided includes screenshots of the allegedly hacked systems of the internet provider.

    The group also published some of the data obtained during the hack on a darknet site accessible via the Tor browser.

    The time frame of the attack on M9com is unclear, but as of the time of writing, the allegedly hacked website is up and running. There has been no mention of the operator’s shutdown in the Russian media or on its official website. The company has not replied to requests for comment.

    This is not the first time Ukrainian civilian hackers have allegedly cooperated with security services to attack Russian organizations. In an incident publicized in October, two groups of pro-Ukrainian hackers and the SBU claimed to have breached Russia’s largest private bank, Alfa-Bank.

  • Ukrainian hackers also announced that they hacked Russia’s tax systems.

    The Ukrainian government’s military intelligence service says it hacked the Russian Federal Taxation Service (FNS), wiping the agency’s database and backup copies.

    Following this operation, carried out by cyber units within Ukraine’s Defence Intelligence, military intelligence officers breached Russia’s federal taxation service central servers and 2,300 regional servers across Russia and occupied Ukrainian territories.

    The breach led to all compromised FTS servers being infected with malware, as well as the hacking of a Russian IT company that provides FNS with data center services.

    The attack also reportedly resulted in the complete deletion of configuration files crucial for the functionality of Russia’s extensive taxation system, wiping out both the main database and its backup copies

    As Ukraine’s Main Directorate of Intelligence (GUR) says, the repercussions of the cyberattack have been severe, causing a breakdown in communication between Moscow’s central office and the 2,300 territorial departments that also got hacked in the attack.

    It has led to a virtual collapse of one of Russia’s vital governmental agencies with a significant loss of tax-related data, according to GUR, as well as tax data-related internet traffic across Russia falling into the hands of Ukraine’s military hackers, as The Record first reported.

    If this is true, it will take quite some time to get tax collections up and running again. And the inability to collect taxes will severely hamper Russia’s ability to finance the war.

  • Speaking of the Alfa-Bank hack, just recently Ukrainian hackers announced that they made all their data available online.

    The Ukrainian hacker group Kiborg has made the entire client base of the Russian Alfa Bank publicly available.

    Kiborg hackers, acting in collaboration with NLB hackers, gained access to the customer database in October 2023 and exposed information about 44,000 customers.

    The database contains information on the names, dates of birth, phone numbers, cards and accounts of 38 million unique individuals and legal entities.

    The Vazhnyye Istorii (Important Stories) website clarified that this includes over 24 million customer accounts and over 13 million more data on legal entities.

  • Both sides have struck cyberblows against the other, but Ukraine seems to have done more damage to Russia than vice-versa this week.