Russian Hackers Launched Sabotage Attacks On 20 Critical Infrastructure

Researchers identified a cyberattack by the Sandworm group targeting critical infrastructure in Ukraine in March 2024. The attack aimed to disrupt the information and communication systems (ICS) of energy, water, and heat suppliers across ten regions. 

In addition to the previously known QUEUESEED backdoor, the attackers used a new toolkit, including LOADGRIP malware and a Linux variant of QUEUESEED named BIASBOAT, which was a server-specific encrypted file utilizing a compromised machine’s unique identifier.

The malware targeted Linux systems managing industrial automation processes (ASUTP), likely through specialized domestic software. 

Breaches were identified in at least three supply chains, where attackers gained initial access through compromised Software Defined Radio (SDR) devices containing vulnerabilities or via legitimate access by supplier employees with technical privileges to maintain the organization’s Industrial Control Systems (ICS). 

Attackers deployed malicious tools like WEEVELY web shells and REGEORG to exploit these access points.NEO tunnels and PIVOTNACCI for lateral movement and launching cyberattacks within enterprise networks. 

CERT-UA identified and responded to a cyberattack campaign targeting critical infrastructure facilities in Ukraine between March 7th and 15th, 2024.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Russian Hackers & Sabotage Attacks

The attackers gained initial access through compromised supply chains and exploited a lack of segmentation to move laterally within the network. 

They deployed QUEUESEED and GOSSIPFLOW malware, previously linked to UAC-0133 (a subcluster of Sandworm/APT44) responsible for water supply facility attacks using SDELETE, to target Windows machines, highlighting the continued threat posed by APT groups and the importance of proper segmentation and security practices. 

A critical infrastructure attack campaign targeting Ukrainian energy, water, and heat suppliers leveraged two key weaknesses.

First, poor segmentation practices allowed supplier software-defined radios (SDRs) to access the organizations’ ICS networks directly, bypassing internet and internal access controls. 

Second, suppliers’ lax security practices left vulnerabilities in their provided software, such as remote code execution (RCE) flaws, open to exploitation.

CERT-UA suspects these attacks aimed to compromise ICS systems and amplify the impact of physical strikes planned for spring 2024. 

QUEUESEED, a C++ malware, gathers system information (OS, language, username) and executes commands from its control server.

The malware can read and write files, run commands, update its configuration, and self-destruct. 

Communication with the control server utilizes HTTPS with encrypted data (JSON format, RSA+AES). The backdoor’s configuration file, including the control server URL, is AES-encrypted with a static key. 

An internal queue for commands and results resides in the Windows registry, encrypted with AES using the %MACHINEGUID% value as the key. Persistent is achieved through a dropper that creates a scheduled task or a registry entry under the “Run” key. 

A hacking group has been using malicious tools to compromise Linux systems.

BIASBOAT, a C-based ELF program, is a Linux variant of QUEUESEED that injects payloads using LOADGRIP, another C-based ELF injector. 

LOADGRIP decrypts the payloads using a key based on a static constant and the machine ID.

At the same time, GOSSIPFLOW, a Go program, creates tunnels and functions as a SOCKS5 proxy and also uses other tools, including CHISEL, LIBPROCESSHIDER, JUICYPOTATONG, and ROTTENPOTATONG.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.