ICS malware FrostyGoop disrupted heating in Ukraine, remains threat to OT worldwide
- by nlqip
Anatomy of the Ukrainian attack
In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.
The attackers then spent time collecting information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registry hive and extracted credentials from the system. While most of the connections to the webshell were done via the Tor anonymity network, the hackers also set up L2TP tunneling to Moscow-based IP addresses.
“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network,” the Dragos researchers concluded. “A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.”
Source link
lol
Anatomy of the Ukrainian attack In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA