UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Table of contents:
For over a decade, the nefarious russia-backed Sandworm APT group (aka UAC-0133, UAC-0002, APT44, or FROZENBARENTS) has been consistently targeting Ukrainian organizations with a prime focus on the public sector and critical infrastructure. CERT-UA has recently unveiled the group’s malicious intentions to disrupt the information and communication systems of about 20 critical infrastructure organizations.
UAC-0133 (Sandworm) Activity Analysis
On April 19, 2024, CERT-UA revealed the traces of a planned cyber sabotage against Ukraine aimed to cripple the information and communication technology (ICT) systems of the energy, water, and heat supply sector organizations throughout the country’s 10 regions. The attack is attributed to UAC-0133, the subcluster of the notorious russia’s Sandworm APT group.
In addition to the QUEUESEED backdoor, also known as KNUCKLETOUCH, ICYWELL, WRONGSENS, or KAPEKA, which was discovered in 2022, the group experiments with a novel offensive toolset. In the latest attacks, Sandworm leveraged LOADGRIP and BIASBOAT malware, which were installed on Linux-based computers intended for automating technological process management systems via custom software of domestic production. Notably, BIASBOAT malware was applied in the form of an encrypted file specific to a particular server, for which the attackers used a pre-received “machine-id” value.
The CERT-UA investigation has uncovered at least three supply chains. The initial unauthorized access can be achieved by installing the attackers’ custom software containing backdoors and vulnerabilities. Another initial attack vector leading to the system compromise can be caused by the standard technical capability of supplier employees to access the ICT systems of organizations for maintenance and technical support.
Adversaries have leveraged their custom software for lateral movement and further development of the cyber attack against the organizations’ corporate networks. For instance, the impacted computers contained directories with the pre-created PHP web shell known as WEEVELY along with REGEORG.NEO or PIVOTNACCI PHP tunnels.
Notably, the compromised computers running Windows OS were exposed to infection by the QUEUESEED and GOSSIPFLOW malware. These malicious strains have been in the spotlight since 2022 as part of the adversary toolkit of the UAC-0133 group and leveraged in destructive cyber attacks targeting water supply facilities, in addition to the SDELETE utility. The common offensive toolset and similar behavior patterns enable researchers to consider UAC-0133 a subcluster of UAC-0002 (Sandworm/APT44).
Adversary tools used in the planned massive offensive campaign against Ukraine include QUEUESEED malware, which collects basic information about the targeted computer, executes commands received from a C2 server, and sends back the results. The malware achieves persistence through a dropper that creates a corresponding scheduled task or registry “Run” entry in the Windows registry.
Other key tools involve BIASBOAT malware, which is a QUEUESEED Linux-based iteration, LOADGRIP used to launch a payload by injecting it via the ptrace API, and GOSSIPFLOW, which acts as a SOCKS5 proxy and is used to establish a tunnel via the Yamux multiplexer library. Apart from the above-mentioned malware, the UAC-0133 group has also applied CHISEL, LIBPROCESSHIDER, JUICYPOTATONG, and ROTTENPOTATONG to proceed with the targeted attacks.
According to the researchers, a set of factors could facilitate attack development, including inadequate server segmentation, allowing access between supplier systems and organizational networks, and suppliers’ negligence in ensuring proper software security. The latter could potentially lead to the exploitation of basic vulnerabilities to further cause RCE.
CERT-UA also suspects that unauthorized access to the ICT systems of multiple energy, water, and heat supply entities was intended to amplify the impact of missile strikes on Ukraine’s infrastructure in the spring of 2024.
Detect UAC-0133 (Sandworm) Attacks Covered by CERT-UA
The surge in the malicious activity of the russia-backed hacking collective tracked as UAC-0133 and considered a subcluster Sandworm APT (aka UAC-0002) fuels the need for enhancing proactive cyber defense to timely identify and thwart destructive attacks against the critical infrastructure sector. SOC Prime Platform curates relevant Sigma rules to detect the latest activity involving the offensive intentions of massive cyber sabotage against the Ukrainian critical infrastructure sector covered in the CERT-UA research. Log into the Platform to access dedicated detection algorithms enriched with relevant metadata and mapped to the MITRE ATT&CK® framework. All detections available via the Explore Detections button below can be used across multiple SIEM, EDR, and Data Lake solutions to accelerate Detection Engineering operations.
To elevate threat detection capabilities, organizations can also rely on additional SOC content: using the corresponding custom tags based on the adversary identifiers: UAC-0133, Sandworm, UAC-0002, APT44, FROZENBARENTS.
Defenders searching for ways to streamline IOC-bassed threat hunting can take advantage of SOC Prime’s Uncoder AI offering advanced IOC packaging. Just paste IOCs from the relevant CERT-UA report and instantly convert them to custom queries in the SIEM or EDR format you prefer, so you can seamlessly hunt for threats in your environment.
MITRE ATT&CK Context
Leveraging MITRE ATT&CK provides granular visibility into the context of offensive operations attributed to UAC-0133. Explore the table below to see the full list of dedicated Sigma rules addressing the corresponding ATT&CK tactics, techniques, and sub-techniques.
Tactics | Techniques | Sigma Rule |
Execution | System Services: Service Execution (T1569.002) | |
Command and Scripting Interpreter (T1059) | ||
Command and Scripting Interpreter: Windows Command Shell (T1059.003) | ||
Command and Scripting Interpreter: Visual Basic (T1059.005) | ||
Persistence | Create or Modify System Process: Systemd Service (T1543.002) | |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | ||
Boot or Logon Initialization Scripts: RC Scripts (T1037.004) | ||
Office Application Startup: Add-ins (T1137.006) | ||
Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006) | ||
Scheduled Task/Job: Scheduled Task (T1053.005) | ||
Privilege Escalation | Access Token Manipulation (T1134) | |
Defense Evasion | Masquerading (T1036) | |
Masquerading: Double File Extension (T1036.007) | ||
Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006) | ||
System Binary Proxy Execution: Rundll32 (T1218.011) | ||
Command and Control | Protocol Tunneling (T1572) | |