11 Ukrainian Telcom Operators Hit by the Same Threat Actor

A threat actor has launched numerous attacks against telecom companies in Ukraine since the beginning of the year, using a vast array of techniques, including malware and vulnerability exploitation.

Ukraine has been dealing with cyberattacks since the war began, as various threat actors try to compromise critical infrastructure, corporations and government institutions. Attacks vary in complexity from simple phishing to more intricate offensives requiring extensive expertise to pull off.

Now, the Government Computer Emergency Response Team of Ukraine CERT-UA says that one of the areas under attack, mainly this year, is represented by telecommunication companies.

"According to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers," according to a CERT press release.

All the attacks followed the same pattern. Threat actors would begin by probing for opened ports and services using software such as ffuf, dirbuster, gowitness or nmap. All of this scanning comes from already compromised systems inside Ukraine, which helps hide the attackers' real intentions.

If they find a way in, criminals install threats such as POEMGATE that allow them to authenticate with a statically defined password and save logins and passwords entered during authentication in a file in XOR-encoded form.

They also deploy a tool named WHITECAT that lets them remove any signs of unauthorized access in affected systems. Another tool, called POSEIDON, gives them complete access and control via remote connections.

The main goal of these attacks is to jump hosts and move laterally in organizations in a search for computers of system administrators that will give them access to important files, such as documents, drawings, contracts, credentials, SMS tokens, and pretty much anything they can get their hand on.

"At the final stage of a cyber attack, active network and server equipment, as well as data storage systems are disabled," CERT-UA added. "This is facilitated by the use of the same passwords and unlimited access to the control interfaces of this equipment."