Anatomy of the Ukrainian assault
Within the Ukrainian assault, investigators imagine that hackers broke into the district power firm’s community by exploiting a vulnerability in a Mikrotik router, with the preliminary entry occurring in April 2023. They then deployed a webshell on the router’s net server to allow distant entry and tunnel into the community.
The attackers then frolicked accumulating info and planning the subsequent step of their assault till December 2023 once they dropped the Safety Account Supervisor (SAM) registry hive and extracted credentials from the system. Whereas a lot of the connections to the webshell have been executed by way of the Tor anonymity community, the hackers additionally arrange L2TP tunneling to Moscow-based IP addresses.
“The sufferer community property, which consisted of a Mikrotik router, 4 administration servers, and the district heating system controllers, weren’t adequately segmented throughout the community,” the Dragos researchers concluded. “A forensic examination in the course of the investigation confirmed that the adversaries despatched Modbus instructions on to the district heating system controllers from adversary hosts, facilitated by hardcoded community routes.”
