The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure

This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm.

In this installment, we take a look at how both countries disrupted operations and services in the telecommunications, critical infrastructure, and technology sectors.

Attacks Against Critical Infrastructure

Twenty Energy Enterprises in the Crosshairs: APT44 plan disrupted

In April 2024, The Ukrainian Cyber Security Situation Center (CSSC) was notified about a cyberattack targeting Lvivteploenergo, a municipal district energy company in Ukraine, which occurred in January 2024. The attack disrupted the heating and hot water supply for over 600 apartment buildings in Lviv during sub-zero temperatures.

Figure 1. Lvivteploenergo. Source: Google Maps.

Additionally, the Ukrainian Government Computer Emergency Response Team (CERT-UA) reported that this attack was part of a larger operation planned by APT44 (aka Sandworm) aimed at disrupting the functioning of ICS systems of about 20 entities in the energy, water, and heat supply sector in ten Ukrainian regions. A breach within Lvivteploenergo and discovered indicators helped identify other victims, as the initial infection occurred through a shared service provider.

Exploited Mikrotik and Abused ENCO Controllers

The investigation at Lvivteploenergo revealed that attackers had infiltrated the network nearly a year earlier, on April 17, 2023, by exploiting a vulnerability in an internet-exposed MikroTik router. A web shell deployed three days later allowed them to maintain access and escalate the cyberattack against the corporate network. Between November and December, attackers reportedly stole user credentials from the Security Account Manager (SAM) registry hive. In January 2024, malicious Modbus commands were sent to ENCO controllers, leading to inaccurate measurements and system failures. An analysis later by Dragos revealed a novel malware written in Golang, dubbed “FrostyGoop,” designed to target operational technology (OT) via the Modbus protocol.

FrostyGoop was designed to interact directly with industrial control systems (ICS) via the Modbus TCP over port 502. It is compiled for Windows systems, and at the time of its discovery, antivirus vendors had not yet flagged it as malicious.

The victim network’s assets, which consisted of a router, management servers, and the district heating system controllers, were not adequately segmented within the network.

CERT-UA revealed that among all 20 targeted entities, at least three supply chains were compromised by the attackers. In some cases, the initial unauthorized access correlated with the installation of specialized software containing backdoors and vulnerabilities, while in others, the attackers used compromised employees’ accounts for the ICS service provider responsible for maintenance and technical support.

The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) assessed that these attacks were meant to amplify the impact of missile strikes on Ukraine’s infrastructure in the spring of 2024.

On March 22, 2024, Russia carried out one of the largest missile and drone attacks against Ukraine's infrastructure since the beginning of the conflict. The attack leveraged missiles and drones launched against multiple targets, such as energy infrastructure facilities. Kharkiv city was almost completely left without electricity and water supply. Dnieper Hydroelectric Station and the power line connecting Zaporizhzhia Nuclear Power Plant were damaged.

Figure 2. Regions affected by Russian strikes launched on March 22. Source: CNN.

The energy sector in Ukraine has remained a prime target for cyberattacks throughout 2024 and 2025, reflecting its critical role in sustaining the country's economic stability and military operations during the ongoing conflict.

Attacks on OT infrastructure in the US, Poland, and France

From January 17th to 18th 2024, the hacktivist group CyberArmyofRussia_Reborn (CARR) claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas.

The attackers posted videos showing the manipulation of human-machine interfaces (HMIs) at each facility. This ICS compromise led to the loss of tens of thousands of gallons of water. Furthermore, CARR gained access to a U.S. energy company's supervisory control and data acquisition (SCADA) system, allowing the group to control the alarms and pumps for tanks within the system. 

In another video, CARR took credit for manipulating HMIs controlling OT assets at the following Polish water utilities: Kąty, Przerosl, Sidra, and Wydminy.

On March 2, 2024, CARR posted a video claiming to disrupt electricity generation processes at a French hydroelectric facility by manipulating water levels.

A Trustwave SpiderLabs investigation conducted at that time revealed that Kąty, Przerosl, Sidra, and Wydminy were using an ICS system manufactured by Biogest International.

Figure 3. Polish water treatment plants accessed by CARR as seen on the hacktivist group’s video posted on Telegram. Source: SLR.

One of the affected plants, “Przerosl,” was listed on the Biogest website together with detailed on-site photos of the facility. However, this is no longer the case, and most of the other plants listed on the site prior have already been removed.

Figure 4. The Przerosl water treatment plant was previously listed on Biogest’s website.

Each of the videos posted by CyberArmyofRussia_Reborn appears to show an actor haphazardly interacting with interfaces controlling the respective water or hydroelectric facilities’ OT assets. Attackers also tampered with device settings such as HMI names.

Figure 5. Device identifiers changed by attackers. Source: SLR.

The specific HMI controllers used by Biogest ICS were found to be manufactured by a Taiwanese company called Weintek. This information allowed us to pinpoint the unique characteristics of these devices and investigate the prevalence of instances directly exposed to the internet.

We found more than 100 internet-facing Weintek-based devices (including Biogest ICS) in multiple countries worldwide, allowing unauthenticated VNC connections over port 5900 or 5901. This observation suggests that CARR might have gained access to the affected systems without using any sophisticated attack methods, such as exploits, but by simply accessing unsecured control panels via VNC.

Russian SCADA Systems Under Fire – Cyber Anarchy Squad in Action

The Cyber.Anarchy.Squad (C.A.S) is a prominent Ukrainian hacktivist group that emerged as an important actor in the Russian-Ukraine digital battlefield. The group targeted Russian and Belarusian organizations that support aggression against Ukraine and has gained recognition for their disruptive tactics and impactful cyber operations.

In June 2024, C.A.S reported an attack on IIS, a Russian company specializing in complex system integration and SCADA solutions for industrial facilities. IIS plays a critical role in managing and automating industrial processes across multiple sectors, making it a strategic, high-value target.

Figure 6. A post on the C.A.S Telegram channel claims the attack against a Russian complex systems integrator.

The attack disrupted operations and exposed vulnerabilities within IIS’s infrastructure, potentially impacting the industrial facilities it supports. C.A.S provided screenshots from multiple SCADA systems it claimed to have accessed following the IIS attack.

Figure 7. A post on the C.A.S Telegram channel features screenshots from the SCADA system that they claimed to have gotten access to.

Attacks Against Ukrainian Telecommunication Providers

In March 2024, the Solntsepek team claimed responsibility for an attack against four small Ukrainian internet service providers (ISPs), causing a week-long service disruption. According to the hackers, the affected companies, Triacom, Misto TV, Linktelecom, and KIM, were reportedly providing internet services to government agencies and portions of the Ukrainian armed forces. The group also claimed to have obtained their client databases and internal documentation.

Figure 8. The Solntsepek team claimed responsibility for an attack against four Ukrainian ISPs. Source: Telegram.

Translation:

ZELENSKY! ATTENTION!!!

We, the Solntsepyok hackers, continue to successfully disrupt the work of the critical infrastructure of Ukraine. This time we hacked 4 providers that provide Internet to government agencies, parts of the Armed Forces of Ukraine, as well as TCC - Triacom, Misto TV, Linktelecom and KIM.

As a result of the hack, the work of the providers was disrupted, and we have their client databases and internal documentation at our disposal.

P.S. Special thanks to our local agents who are helping to bring the end of Zelensky's criminal regime closer!!!

An analysis published by SentinelOne suggests that the novel malware AcidPour may have been used in these attacks. The analysis showed AcidPour had several similarities with the AcidRain malware, which was used to target Viasat in February 2022, an attack that we discussed in the first part of our series. This time, however, the binary was compiled for a wider range of Linux systems.

As confirmed by SpiderLabs, the first submission of the AcidPour binary to VirusTotal occurred in Ukraine on March 16, 2024, three days past the disruptive attacks announced by Solntsepek.

Figure 9. The AcidPour binary was submitted to VirusTotal on March 16, 2024. Source: SpiderLabs.

AcidPour’s wiping functionalities are equivalent to that of AcidRain. However, AcidPour expands upon targeted Linux devices to include Device Mapper (MTD) and Unsorted Block Image (UBI) logic.

Figure 10. Decompiled code showing AcidPour’s wiping functionalities targeting MTD and UBI devices. Source: SpiderLabs.

Kyivstar Attack — Millions of Clients Affected

On December 12, 2023, Kyivstar – the biggest Ukrainian telecommunications provider that serves more than half of Ukraine’s population, faced a large-scale technical network failure caused by a cyberattack. As reported, shops throughout the country could not process credit card payments, many ATMs halted cash withdrawals, and in some regions, on top of disrupted mobile communications, even wired internet connections did not work.

The attack was attributed to APT44, based on several similarly destructive attacks conducted in the past. However, APT44-affiliated cyber group Solncepek (Solntsepek) assumed responsibility for the attack on its Telegram channel.

Screenshots provided by Solntsepek showed a list of computers under the Active Directory, Exchange Server admin center, VMWare Aria server, and Internal management tool. It took seven days to repair the damage and restore communications.

 
Figure 11. A post on Solntsepek’s Telegram channel claimed that the group was fully responsible for the attack against Kyivstar.

Kyivstar CEO Oleksandr Komarov shed some light on the initial attack vector, pointing to a compromised employee account, allowing the attackers to move laterally and compromise other accounts. Eventually, this led the attackers to an account with administrative privileges. Once the attackers gained control over the Active Directory, they were able to do whatever they wanted from there, such as deleting backups and deploying malware using GPO.

The Kyivstar attack shares certain similarities with previous APT44 attacks against telecommunications providers in Ukraine as reported by CERT-UA.

Backdoored PAM Module and Hardcoded Passwords

During the aforementioned attacks, several malware types were discovered. A malicious PAM module, tracked as POEMGATE, was discovered on the compromised Linux servers. It allowed the attackers to authenticate with a statically defined password and had the capability to store the logins and passwords entered during authentication in an XOR-encoded file.

Figure 12. Static passwords are defined in a backdoored PAM module. Source: SpiderLabs.

WhiteCat Log Cleaner — An Old Tool with a New Twist

To remove any evidence of potentially unauthorized activity, APT44 leveraged a utility dubbed WhiteCat. It’s designed to clear various log files typically found on web servers, such as access or error logs. A SpiderLabs investigation revealed that this tool is based on WhiteCat log cleaner code posted originally on one of the Russian forums in 2007 by a user named ShadOS. However, its functionality has been significantly extended.

Figure 13. The original version of the WhiteCat log cleaner was posted in a Russian forum.

Figure 14. WhiteCat log cleaner source code from 2007 is visible via the Wayback Machine.

Figure 15. WhiteCat log cleaner utility used by APT44.The same strings can be found in the original code from 2007.

Attacks Against the Technology Sector

Electronic Trading Platform Under Attack

On January 13, 2025, the pro-Ukrainian hacktivist group Yellow Drift launched a high-profile cyberattack against Roseltorg, a prominent Russian electronic trading platform. As one of Russia’s key platforms for public procurement and tenders, Roseltorg plays a significant role in government operations and economic activity, making it a strategic and symbolic target for hacktivist efforts aligned with Ukraine.

Figure 16. Roseltorg’s Telegram statement.

While details about the exact methods are limited, initial analysis suggests the attackers utilized a mix of spear phishing campaigns and exploiting known vulnerabilities to infiltrate Roseltorg’s network. The attackers may have employed credential-stuffing attacks to leverage stolen login credentials from previous breaches. Once inside the network, they exfiltrated critical data and potentially deployed wiper malware to disrupt Roseltorg’s operations.

Following up on Roseltorg’s statement, Yellow Drift claimed that 550TB of data was affected, including backups, emails, and certificates.

Figure 17. Yellow Drift’s Telegram channel post detailing claims about the attack against the Russian company.

UCA Shuts Down Russian Internet Provider — Nodex

On January 7, 2025, the pro-Ukrainian group Ukrainian Cyber Alliance (UCA) claimed an attack on Russian internet provider Nodex. The group claimed to have exfiltrated an unspecified amount of data and wiped out the devices. Nodex confirmed the alleged disruption and informed users that restoration from backups was underway.

Figure 18. The Nodex’s statement was posted on VKontakte. Source: SpiderLabs.

Figure 19. Ukrainian Cyber Alliance claims an attack against the Russian internet provider that wiped all its data.

On July 26, 2024, the Pro-Ukrainian group C.A.S announced the breach of Russian Information Security company AVANPOST (avanpost.ru). AVANPOST develops authorization and authentication systems used by high-profile companies in the Russian Federation. Moreover, the group claimed to have encrypted 405 virtual machines, destroying over 60TB of data.

Some of the security solutions developed by AVANPOST include:

• Avanpost IDM (Identity governance and administration)
• Avanpost MFA+ (Multi-factor authentication)
• Avanpost FAM (Federated identity management)
• Avanpost DS (Directory service, add-on to Active Directory)
• Avanpost PKI (Public key infrastructure)

Figure 20. C.A.S claims that on June 26, 2024, the group breached the Russian Information Security company.

Please join us in the next part of our series.