The Sandworm advanced persistent threat (APT) actor [4], believed to be supported by Russia’s military intelligence agency, the GRU [4] [5], has been attributed with a cyber attack campaign targeting Ukrainian military targets [4].

Description

The Security Service of Ukraine (SBU) initially uncovered the Infamous Chisel malware family used in this campaign [4]. It specifically targeted Android mobile devices owned by Ukraine’s armed forces [4]. Infamous Chisel was designed to gain unauthorized access to compromised devices and operate through the Tor network. It has the capability to scan files, monitor traffic [1] [2] [5], and periodically steal sensitive information [2], including system device information [2] [3], commercial application information [2] [3], and applications specific to the Ukrainian military [2] [3].

The malware has been linked to the Russian GRU’s Main Centre for Special Technologies (GTsST) and the threat actor Sandworm. Infamous Chisel gains persistence by replacing a legitimate system component with a malicious version and uses shell scripts and commands to collect device information and search for specific files [3]. It exfiltrates files using the TLS protocol and a hard-coded IP and port [3], and it also installs a modified version of the Dropbear SSH client for remote access [3].

Despite lacking basic obfuscation or stealth techniques [3], Infamous Chisel poses a serious threat due to the sensitive information it can collect [3]. The UK and international allies have published a report on the malware [5], demonstrating their commitment to assisting Ukraine in the face of Russian cyber attacks [5]. This report can be found on the National Cyber Security Centre (NCSC) website [5].

Conclusion

The Infamous Chisel malware campaign [4], attributed to the Sandworm APT actor supported by Russia’s GRU, has targeted Ukrainian military targets [5]. The malware’s ability to gain unauthorized access, scan files [1] [2] [5], monitor traffic [1] [2] [5], and steal sensitive information poses a serious threat. However, the UK and international allies have shown their commitment to assisting Ukraine by publishing a report on the malware. This highlights the importance of mitigating the impacts of cyber attacks and the need for continued vigilance in the face of future threats.

References

[1] https://www.cisa.gov/news-events/news/us-and-international-partners-release-report-russian-cyber-actors-using-infamous-chisel-malware
[2] https://www.infosecurity-magazine.com/news/gru-infamous-chisel-malware/
[3] https://arstechnica.com/security/2023/08/russia-targets-ukraine-with-new-android-backdoor-intel-agencies-say/
[4] https://www.computerweekly.com/news/366550454/Sandworm-attacks-Ukraine-with-Infamous-Chisel-malware
[5] https://www.wired-gov.net/wg/news.nsf/articles/UK+and+allies+support+Ukraine+calling+out+Russias+GRU+for+new+malware+campaign+31082023161500