Sandworm impersonates Ukrainian telecoms providers to deploy malware

Sandworm, a hacking group allegedly linked with Russian authorities, continues its campaign against Ukrainian entities. Threat actors are targeting their victims this time by impersonating telecoms companies, according to the latest research by Recorded Future

Attacks were executed by luring people into visiting compromised sites, usually through emails sent from domains that pretend to originate from a Ukrainian telecommunications company.

Recorded Future has noticed an increase in Sandworm command and control (C2) infrastructure using dynamic DNS names impersonating Ukrainian telecommunications service providers. Recent operations target vital Ukrainian systems with malware such as Colibri Loader and the Warzone RAT (remote access trojan).

The finding further claims that Sandworm has upgraded its command and control (C2) infrastructure. However, this happened gradually, allowing Recorded Future to confidently link current actions to the threat actor using past data from CERT-UA reports. 

The cybercrime group has previously been linked with a number of cyberattacks, including those on Ukrainian energy infrastructure and the ‘deployment of a persistent botnet named Cyclops Blink.’