In a recent cybersecurity update, the Computer Emergency Response Team of Ukraine (CERT-UA) announced that there had been 11 cyberattacks by a group codenamed ‘UAC-0165’ on several telecommunication service providers within the period of May to September 2023.

These attacks have led to service outages, leaving numerous customers without access, underscoring the urgent need for cybersecurity practices in the telecommunications industry.

These attacks typically start with a reconnaissance stage in which attackers use open RDP and SSH interfaces that face the organization’s network.

CERT-UA Update: UAC-0165 Cyberattack on Ukrainian Telecom Industry

According to CERT-UA, this reconnaissance and exploitation activity originates from initially compromised servers, with their majority based on the Ukrainian part of the internet. The use of proxies such as Dante and SOCKS5 is intended for directing the traffic from threat actors into these nodes.

These are distinguishable since they employ two highly-targeted hacking tools, particularly POEMGATE and POSEIDON, purposed for stealing credentials as well as remote control operation of compromised machines.

In addition, the white cat is a tool used by attackers to bypass detecting and forensic analysis. What’s worse is that they manage to continuously access the provider’s infrastructure through VPN accounts that do not have multi-factor authentication protected.

The next phase involves attempts by the attackers to physically destroy network and server equipment, particularly the Mikrotik devices and the data storage systems.

These targeted actions worsen the harm and disorder experienced in the attacks thus making it difficult for the affected telecom providers and their customers to deal with the fallout.

The UAC-0006 group has sent four waves of phishing to CERT-UA and other organizations. The SmokeLoader malware was launched in the first week of October 2023 in these attacks.

Ironically, even worse, the attackers used compromised but legitimate e-mail addresses for sending phishing messages, thus making detection of it much harder. Once on a PC, SmokeLoader is utilized for evil motives.

The main goal of these phishing attacks is to get the accounts of the attacker into the computer systems of accountants which is then followed up by stealing information associated with the authentication like log-in credentials, passwords, keys, or certificates. T

he hijacked personal data can then be manipulated by the attackers in remote banking infrastructure, resulting in fraudulent transactions being made possible.

In response to these cyber threats, CERT-UA is appealing to TSPs in Ukraine to enhance their cybersecurity measures. The agency advises regularly carrying out security audits, enabling the multi-factor authentication of VPN accounts, and strengthening of their network infrastructure from potential attackers.

Such cyberattacks, as seen on Ukrainian telecommunication providers in this regard also underline the perenniality and the ever-changing characteristics of cybersecurity threats that organizations all over the world face.

With technological advancement comes enhanced methods and capabilities of threat actors. Organizations and governments should continue to be alert, share relevant information, and commit to enhancing cyber security defense to defend critical infrastructure and guard delicate data from cyber dangers that are ever-present.

Despite these cyberattacks that targeted Ukraine’s Telecom, CERT-UA assures to continue providing solutions for enhanced cybersecurity. This attack makes it evident that there is an urgent need for an effective, agile cybersecurity framework in order to keep off future attacks.

Ukraine can enhance its cyber resilience by relentlessly improving cybersecurity measures as well as encouraging collaborations among entities. Recent break-ins stand out as grim reminders about ongoing risks in cyber space that have implications for securing critical infrastructure and keeping sensitive information safe.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.