Anatomy of the Ukrainian assault
Within the Ukrainian assault, investigators imagine that hackers broke into the district vitality firm’s community by exploiting a vulnerability in a Mikrotik router, with the preliminary entry occurring in April 2023. They then deployed a webshell on the router’s internet server to allow distant entry and tunnel into the community.
The attackers then hung out accumulating data and planning the subsequent step of their assault till December 2023 once they dropped the Safety Account Supervisor (SAM) registry hive and extracted credentials from the system. Whereas a lot of the connections to the webshell have been executed by way of the Tor anonymity community, the hackers additionally arrange L2TP tunneling to Moscow-based IP addresses.
“The sufferer community belongings, which consisted of a Mikrotik router, 4 administration servers, and the district heating system controllers, weren’t adequately segmented inside the community,” the Dragos researchers concluded. “A forensic examination in the course of the investigation confirmed that the adversaries despatched Modbus instructions on to the district heating system controllers from adversary hosts, facilitated by hardcoded community routes.”
