Sandworm impersonates Ukrainian telecoms providers to deploy malware

Sandworm, tied to Russian authorities, employs a tactic of pretending to be Ukrainian telecoms providers to distribute malware, as revealed by Recorded Future. The group is utilizing various malware, including Colibri Loader and Warzone, to target important Ukrainian systems. The evolution of Sandworm’s command and control infrastructure has been observed through gradual upgrades, enabling Recorded Future to make connections based on past data. Sandworm’s history includes cyberattacks on Ukraine’s energy infrastructure and the establishment of a persistent botnet named Cyclops Blink.

Sandworm, a hacking group allegedly linked with Russian authorities, continues its campaign against Ukrainian entities. Threat actors are targeting their victims this time by impersonating telecoms companies, according to the latest research by Recorded Future

Attacks were executed by luring people into visiting compromised sites, usually through emails sent from domains that pretend to originate from a Ukrainian telecommunications company.

Recorded Future has noticed an increase in Sandworm command and control (C2) infrastructure using dynamic DNS names impersonating Ukrainian telecommunications service providers. Recent operations target vital Ukrainian systems with malware such as Colibri Loader and the Warzone RAT (remote access trojan).

The finding further claims that Sandworm has upgraded its command and control (C2) infrastructure. However, this happened gradually, allowing Recorded Future to confidently link current actions to the threat actor using past data from CERT-UA reports. 

The cybercrime group has previously been linked with a number of cyberattacks, including those on Ukrainian energy infrastructure and the ‘deployment of a persistent botnet named Cyclops Blink.’