"Sandworm Hackers From Russia Distribute Malware by Posing as Ukrainian Telecoms"
A threat cluster linked to the Russian nation-state actor Sandworm is attacking Ukraine with generic malware while posing as telecommunications companies. Recorded Future discovered a new UAC-0113 infrastructure imitating Datagroup and EuroTransTelecom operators to distribute payloads such as the Colibri loader and Warzone RAT. The cyberattacks on Ukrainian telecommunications companies are a continuation of the same operation that previously used phishing emails with lures referencing legal assistance to spread DCRat or DarkCrystal RAT. Sandworm, a disruptive Russian threat organization, is well known for carrying out attacks such as the NotPetya hacks in 2017 and targeting Ukraine's electrical systems in 2015 and 2016. The Russian GRU military intelligence service Unit 74455 has been positively identified. In April, the group used a new variant of the malware called Industroyer to try to harm computers, networking hardware, and high-voltage electrical substations in Ukraine for the third time. In response to Russia's invasion of Ukraine, the gang launched numerous additional attacks, including the exploitation of the Follina vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) to compromise media organizations in the Eastern European country. This article continues to discuss Sandworm hackers posing as telecommunications companies in attacks against Ukraine.