In the Ukrainian attack, it has been revealed by investigators that hackers were able to infiltrate the district energy company’s network by taking advantage of a vulnerability in a Mikrotik router. This breach occurred in April of 2023, marking the beginning of a sophisticated cyber attack that would unfold over the course of several months.
Once inside the network, the hackers deployed a webshell on the router’s web server, granting them remote access and allowing them to create a tunnel into the network. This level of access provided the attackers with the opportunity to gather valuable information and meticulously plan their next moves.
By December of 2023, the attackers made a critical move by dropping the Security Account Manager (SAM) registry hive and extracting credentials from the system. This action further solidified their control over the network and enabled them to continue their malicious activities undetected. Although many of their connections were routed through the Tor anonymity network, the hackers also utilized L2TP tunneling to establish connections to IP addresses located in Moscow.
The Dragos researchers involved in the investigation discovered that the victim network assets, including the compromised Mikrotik router, four management servers, and the district heating system controllers, were not properly segmented within the network. This lack of segmentation created a vulnerability that the attackers were able to exploit, ultimately gaining direct access to the district heating system controllers by sending Modbus commands from their own hosts. This was facilitated by using hardcoded network routes, allowing the attackers to manipulate the system remotely.
The detailed forensic examination conducted during the investigation shed light on the sophisticated nature of the attack and highlighted the vulnerabilities that existed within the network infrastructure. The attackers demonstrated a high level of skill and patience as they carefully executed each step of their plan over the course of several months.
This incident serves as a stark reminder of the ever-present cybersecurity threats facing organizations of all sizes and industries. The need for robust security measures, regular vulnerability assessments, and prompt incident response protocols has never been more crucial. As technology continues to advance, so too must the defenses put in place to protect sensitive data and critical infrastructure from malicious actors.