Open in app

Sign in

Write

Sign in

Telecom Giants Unite Against Mysterious ‘Sandman’ Cyber Intruder:-

Prateek Kumar Gupta
4 min readSep 23, 2023

--

Introduction

A previously undocumented threat actor, dubbed Sandman, has been attributed to a set of cyber attacks targeting telecommunication providers across three continents. The group surfaced in August and has been deploying a novel backdoor using LuaJIT, a Just-In-Time Compiler for the Lua programming language. The Sandman APT (Advanced Persistent Threat) is believed to be a highly sophisticated group that has been able to evade detection for some time. In this blog, we will explore the details of the Sandman APT, their tactics, techniques, and procedures (TTPs), and the impact of their attacks on the telecom sector.

Who is Sandman APT?

Sandman APT is a previously unknown threat actor that has been targeting telecommunication service providers in the Middle East, Western Europe, and South Asia. The group has been using a novel backdoor that employs LuaJIT, a Just-In-Time Compiler for the Lua programming language. The backdoor is designed to evade detection and is highly sophisticated, making it difficult to detect and remove. The group is believed to be a state-sponsored actor due to the level of sophistication of their attacks and the resources required to carry out such attacks.

Sandman APT’s Tactics, Techniques, and Procedures (TTPs)

The Sandman APT has been using a variety of tactics, techniques, and procedures to carry out their attacks. Some of the TTPs used by the group include:

  • Strategic Lateral Movement: The Sandman APT relies on strategic lateral movement to targeted workstations. This allows them to move laterally within the network and gain access to sensitive data.
  • Novel Backdoor: The group has been deploying a novel backdoor that employs LuaJIT, a Just-In-Time Compiler for the Lua programming language. The backdoor is designed to evade detection and is highly sophisticated, making it difficult to detect and remove.
  • Social Engineering: The Sandman APT has been using social engineering tactics to trick employees into downloading and installing malware. This is often done through phishing emails that appear to be legitimate.
  • Exploiting Vulnerabilities: The group has been exploiting vulnerabilities in software and hardware to gain access to networks. This includes exploiting zero-day vulnerabilities that have not yet been patched.

Impact of Sandman APT’s Attacks

The attacks carried out by the Sandman APT have had a significant impact on the telecom sector. The group has been able to gain access to sensitive data and has been using this data for espionage purposes. The attacks have also caused significant financial damage to the targeted companies, as they have had to spend large amounts of money to remediate the damage caused by the attacks.

“Know your enemy and know yourself, and you can fight a hundred battles without disaster.” — Sun Tzu, The Art of War

Python script that check for software vulnerabilities on your network:

import requests

def check_vulnerabilities():
# Define a list of software and their versions to check for vulnerabilities
software_versions = {
“Windows”: “10.0.19042”,
“Linux Kernel”: “5.4”,
“Adobe Acrobat Reader”: “2021.001.20149”,
}

for software, version in software_versions.items():
# Use a vulnerability database or API to check for known vulnerabilities
url = f”https://vulnerability-database.com/api/v1/check?software={software}&version={version}"
response = requests.get(url)

if response.status_code == 200:
data = response.json()
if data[“is_vulnerable”]:
print(f”{software} version {version} is vulnerable. Update or apply patches.”)
else:
print(f”{software} version {version} is up to date.”)
else:
print(f”Failed to check {software} version {version}.”)

def main():
print(“Checking for software vulnerabilities…”)
check_vulnerabilities()

if __name__ == “__main__”:
main()

Conclusion

The Sandman APT is a highly sophisticated threat actor that has been targeting telecommunication service providers across three continents. The group has been using a novel backdoor that employs LuaJIT, a Just-In-Time Compiler for the Lua programming language, to evade detection. The Sandman APT has been using a variety of tactics, techniques, and procedures to carry out their attacks, including social engineering, exploiting vulnerabilities, and strategic lateral movement. The attacks carried out by the group have had a significant impact on the telecom sector, causing financial damage and compromising sensitive data. It is important for organizations to be aware of the threat posed by the Sandman APT and to take steps to protect themselves from these attacks. This includes implementing strong security measures, training employees on how to identify and avoid phishing emails, and keeping software and hardware up-to-date with the latest security patches.

Cybersecurity
Threat Actor
Telecom
Phishing Attacks
Sandman

--

--

Prateek Kumar Gupta
Prateek Kumar Gupta

Written by Prateek Kumar Gupta

15 Followers
7 Following

A proactive B.Tech Information Technology student at the Sharda University. Possess with cybersecurity, IT, leadership and writing skills.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams