{
	"id": "9c2b8916-346c-4f99-9c4a-4495241c3dba",
	"created_at": "2026-04-06T00:12:41.693441Z",
	"updated_at": "2026-04-10T03:30:30.918362Z",
	"deleted_at": null,
	"sha1_hash": "10a3152db508b958e136fcd1f7dc17c089c3c148",
	"title": "Russian Sandworm hackers breached 11 Ukrainian telcos since May",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1014336,
	"plain_text": "Russian Sandworm hackers breached 11 Ukrainian telcos since May\r\nBy Bill Toulas\r\nPublished: 2023-10-16 · Archived: 2026-04-02 10:57:19 UTC\r\nThe state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service\r\nproviders in Ukraine between May and September 2023.\r\nThat is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and\r\ninformation retrieved from some breached providers.\r\nThe agency states that the Russian hackers \"interfered\" with the communication systems of 11 telcos in the country, leading\r\nto service interruptions and potential data breaches.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSandworm is a very active espionage threat group linked to Russia's GRU (armed forces). The attackers have focused on\r\nUkraine throughout 2023, using phishing lures, Android malware, and data-wipers.\r\nTargeting telcos\r\nThe attacks begin with Sandworm performing reconnaissance on telecommunication company's networks using the\r\n'masscan' tool to perform scans on the target's network.\r\nExample of masscan script (CERT-UA)\r\nSandworm looks for open ports and unprotected RDP or SSH interfaces they can leverage to breach the network.\r\nAdditionally, the attackers use tools like 'ffuf', 'dirbuster', 'gowitness', and 'nmap' to find potential vulnerabilities in web\r\nservices that can be exploited to gain access.\r\nCompromised VPN accounts that weren't protected by multi-factor authentication have also been leveraged to gain network\r\naccess.\r\nTo make their intrusions stealthier, Sandworm uses 'Dante', 'socks5,' and other proxy servers to route their malicious\r\nactivities through servers within the Ukrainian internet region they compromised previously, making it appear less\r\nsuspicious.\r\nCERT-UA reports seeing two backdoors in breached ISP systems, namely 'Poemgate' and 'Poseidon.'\r\nPoemgate captures the credentials of admins who attempt to authenticate in the compromised endpoint, providing the\r\nattackers with access to additional accounts they can use for lateral movement or deeper network infiltration.\r\nPoseidon is a Linux backdoor that the Ukrainian agency says \"includes the full range of remote computer control tools.\"\r\nPersistence for Poseidon is achieved by modifying Cron to add rogue jobs.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nPage 3 of 5\n\nCron binary modification to add persistence for Poseidon (CERT-UA)\r\nSandworm uses the 'Whitecat' tool to remove the attack's traces and delete access logs.\r\nAt the final stages of the attack, the hackers were seen deploying scripts that would cause service disruption, especially\r\nfocusing on Mikrotik equipment, and wipe backups to make recovery more challenging.\r\nScript to impair Mikrotik devices (CERT-UA)\r\nCERT-UA advises that all service providers in the country follow the recommendations in this guide to make it harder for\r\ncyber intruders to breach their systems.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/"
	],
	"report_names": [
		"russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434361,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10a3152db508b958e136fcd1f7dc17c089c3c148.pdf",
		"text": "https://archive.orkl.eu/10a3152db508b958e136fcd1f7dc17c089c3c148.txt",
		"img": "https://archive.orkl.eu/10a3152db508b958e136fcd1f7dc17c089c3c148.jpg"
	}
}