CERT-UA discloses Sandworm attack on infrastructure facilities


The governmental computer emergency response team of Ukraine CERT-UA, which operates under the State Special Communications Service, disclosed the malicious intent of the UAC-0133 (Sandworm) group aimed at disrupting the operation of information and communication systems (ICS) of about twenty enterprises in the energy, water and heat supply sectors in ten regions of Ukraine.

The Sandworm group, whose activities are associated with the General Staff of the Russian Federation Armed Forces (formerly known as the game), is one of the most active and dangerous.

What happened

Almost two dozen Ukrainian companies that supply electricity, water and heat to Ukrainians were targeted by hackers.

The enemy’s ultimate plan was to disable the ICS equipment, which would have caused even more damage to Ukraine against the backdrop of spring missile attacks on critical infrastructure.

Деталі атаки

Details of the attack

  • In addition to the QUEUESEED backdoor (KNUCKLETOUCH, ICYWELL, WRONGSENS, KAPEKA), known since 2022, new attacker tools have been discovered: LOADGRIP and BIASBOAT (Linux variant of QUEUESEED).
  • The targets were computers used to control technological processes with domestic special software.
  • BIASBOAT was encrypted for a specific server using a “machine-id” obtained by the attackers in advance.
  • At least three “supply chains” were compromised:
    • Installation of software containing program bookmarks and vulnerabilities.
    • Using the in-house technical capabilities of the vendor’s employees to gain access to the organizations’ ICS.
  • The attackers used compromised computers to spread the attack to corporate networks of enterprises.
  • The compromised computers were found to contain the WEEVELY PHP web shell, the REGEORG.NEO or PIVOTNACCI PHP tunnel.

Why it is important

Experts note that this attack is evidence that Russia continues to use cyberattacks as a weapon against Ukraine. In particular, the Sandworm group continues to actively attack Ukraine.

Therefore, CI infrastructure enterprises should take all necessary measures to protect their ICS.

It is important that all Ukrainians are aware of this threat and take steps to protect themselves and their data.

Деталі атаки


The State Special Communications Service makes the following recommendations:

  • Segment networks and restrict access to ICS elements using the principle of minimum necessity and zero trust.
  • Use multi-factor authentication.
  • Train staff in the basics of cybersecurity.


Please enter your comment!
Please enter your name here