Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed that threat actors “interfered” with at least 11 telecommunications service providers in the country between May and September 2023.
The agency is tracking the activity, codenamed UAC-0165, which it says has caused disruption in service to customers due to the intrusion.
The starting point of attacks is a reconnaissance phase in which a telecommunications company’s network is scanned to identify exposed RDP or SSH interfaces and potential entry points.
“It should be noted that reconnaissance and exploitation activities are carried out exclusively from previously compromised servers located in the Ukrainian segment of the Internet,” CERT-UA said.
“To route traffic through such nodes, Dante, SOCKS5 and other proxy servers are used.”
The attacks are notable for the use of two special programs called POEMGATE and POSEIDON that enable credential theft and remote control of infected hosts. To erase forensic traces, a utility called WHITECAT is executed.
In addition, persistent unauthorized access to the provider’s infrastructure is achieved using regular VPN accounts that are not protected using multi-factor authentication.
A successful breach is followed by attempts to disable network and server equipment, especially Mikrotik equipment, as well as data storage systems.
The development came after the agency said it observed four phishing waves carried out by a hacking team tracked as the UAC-0006 group using the Smokeloader malware during the first week of October 2023.
“Legitimate compromised email addresses are used to send emails, and Smokeloader is delivered to PCs through multiple methods,” CERT-UA said.
“The attackers intend to attack the accountant’s computer to steal authentication data (logins, passwords, keys/certificates) and/or alter the details of financial documents in the remote banking system to send unauthorized payments.”