Anatomy of the Ukrainian attack

In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.

The attackers then spent time collecting information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registry hive and extracted credentials from the system. While most of the connections to the webshell were done via the Tor anonymity network, the hackers also set up L2TP tunneling to Moscow-based IP addresses.

“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network,” the Dragos researchers concluded. “A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.”