Cyber Incident Victim: Russia's Black Sea Fleet
Date:
Mar 2024
Location:
Ukraine
Summary
A Russian state-sponsored threat actor known as Sandworm targeted approximately twenty critical infrastructure facilities in Ukraine, including energy, water, and heat suppliers. The group employed a combination of known and new malware, such as QUEUESEED and the Linux variants BIASBOAT and LOADGRIP, to infiltrate networks and disrupt operations. Initial access was gained through supply chain compromises, including poisoned software and abuse of vendor maintenance access. The campaign's purpose was believed to be the disruption of information systems to amplify the effects of concurrent physical attacks on the infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In March 2024, the Russian state-sponsored threat actor Sandworm, also known as APT44 and UAC-0002, executed a coordinated cyber campaign against approximately twenty critical infrastructure organizations in Ukraine. The Ukrainian Computer Emergency Response Team, CERT-UA, identified the operation as targeting energy, water, and heat supply facilities across ten different regions. The attackers employed a combination of established and novel malware to infiltrate and disrupt the information and communication systems of these utilities. Initial access was achieved through at least three compromised software supply chains; in some cases, the attackers delivered compromised or vulnerable software, while in others, they leveraged the legitimate remote access privileges granted to software suppliers for maintenance and technical support. Once inside a network, the threat actors used these initial footholds for lateral movement to deploy their full toolkit across the corporate networks of the targeted enterprises.
The malware deployed included the Windows-based QUEUESEED backdoor, a known tool tracked since 2022, and two new Linux variants named BIASBOAT and LOADGRIP. BIASBOAT functioned as a Linux version of the QUEUESEED backdoor, disguised as an encrypted file server. LOADGRIP was an injector used to decrypt and execute the BIASBOAT payload on a compromised Linux computer, with the decryption key derived from the specific victim's machine ID. The attackers also used the GOSSIPFLOW malware, a Go-based tool that established tunnels and provided SOCKS5 proxy functionality for command and control communication and data exfiltration. Additional open-source tools were incorporated into the attack, including the Weevly web shell, Regeorg.Neo, Pivotnacci, and Chisel tunnelers, as well as privilege escalation utilities like JuicyPotatoNG. CERT-UA believes the objective of these cyber intrusions was to disrupt the operational technology of these critical facilities to amplify the destructive effects of concurrent Russian missile strikes on the same infrastructure targets. From March 7 to March 15, 2024, CERT-UA conducted extensive response operations, which involved notifying all identified victims, removing the malicious software, analyzing the attack patterns, reconstructing the incident chronology, and assisting with reconfiguring network equipment to enhance security. The investigation concluded that the attackers' success was facilitated by the victims' poor cybersecurity practices, specifically a lack of proper network segmentation and insufficient security controls at the software supplier level.