The UK cybersecurity agency and partners reveal Russian cyber campaign targeting Ukraine military
Collaborative efforts between cybersecurity and intelligence agencies from the UK, US, Australia, Canada, and New Zealand have brought to light a sophisticated mobile malware strain targeting Android devices used by the Ukrainian military.
This malware, named ‘Infamous Chisel,’ has been attributed to a Russian state-sponsored threat actor known as Sandworm. Infamous Chisel exhibits a range of capabilities, including the ability to facilitate unauthorised access to compromised devices, conduct file scans, monitor network traffic, and periodically steal sensitive data.
The Security Service of Ukraine (SBU) had previously unearthed certain facets of this malware in August, where there were unsuccessful attempts to infiltrate Ukrainian military networks and gather valuable intelligence.
The modus operandi of the Russian forces involved the capture of tablets used by Ukrainian military personnel on the battlefield. These tablets served as a strategic foothold, allowing the perpetrators to remotely distribute the malware to other devices via the Android Debug Bridge (ADB) command-line tool.
Operating since at least 2014, Sandworm is notorious for its series of disruptive and destructive cyber campaigns, leveraging malware strains like NotPetya, Industroyer, and BlackEnergy.
In July 2023, Mandiant, a subsidiary of Google, shed light on the modus operandi of GRU's malicious cyber operations, emphasising its adaptability in a fast-paced and fiercely competitive environment. This adaptability allows the threat actors to swiftly adjust their tactics and maximize the speed, scale, and intensity of their operations while minimizing the risk of detection.
Infamous Chisel is characterised by its multifaceted nature, comprising various components meticulously designed to enable remote access and data exfiltration from Android smartphones. In addition to conducting scans for information and files matching predefined file extensions, the malware can periodically scan the local network and offer SSH (Secure Shell) access. It facilitates remote access through the configuration and execution of TOR (The Onion Router) with a hidden service, which forwards to a modified Dropbear binary, thus providing SSH connectivity.
The persistence of this malware on the compromised device is maintained by replacing the legitimate net daemon, responsible for network configuration on Android, with a rogue version that can execute commands with root privileges. The exfiltration process involves compiling file and device data daily, while sensitive military information is stolen every ten minutes. Scanning of the local area network is conducted once every two days.
Despite the malware's sophistication, it lacks basic obfuscation or stealth techniques to conceal malicious activity. But this may be attributed to many Android devices lacking a host-based detection system, making stealth less of a priority for the threat actor.