Anatomy of the invasion of Ukraine
In the Ukraine attack, investigators believe hackers breached the regional power company’s network by exploiting a vulnerability in a Mikrotik router, with the first access occurring in April 2023. They then executed a webshell on the router’s web server to enable remote access and tunneling. on the network.
The attackers then spent time gathering information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registration nest and extracted credentials from the system. While most connections to the webshell were made through the Tor network of anonymity, the hackers also set up an L2TP tunnel to Moscow IP addresses.
“The network assets of the victims, which included a Mikrotik router, four management servers, and district heating system controllers, were not sufficiently isolated within the network,” Dragos’ researchers concluded. “Expert tests during the investigation showed that the enemies sent Modbus commands directly to the controllers of the district heating system from enemy observers, guided by hard-coded network routes.”
Source link