Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Five Eyes Fingers Moscow in Ukrainian Android Hacking

Western Intelligence Alliance Publishes Details of 'Infamous Chisel' Campaign
Five Eyes Fingers Moscow in Ukrainian Android Hacking
Image: Shutterstock

Western intelligence agencies lent authority Thursday to a Ukrainian exposé unmasking a campaign by Russian military state hackers targeting battlefield Android devices.

See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots

Agencies from the Five Eyes intelligence alliance of Australia, Canada, New Zealand, the United Kingdom and the United States confirmed in a report that malware "associated" with Russia's GRU Main Intelligence Directorate exfiltrates data from Ukrainian military applications running on Android devices.

Ukraine uses a slew of apps to manage the battlefield and improve artillery targeting against Russian invaders. In a report published earlier this month, Kyiv authorities said the GRU's Sandworm hacking group had obtained Ukrainian military mobile devices captured on the battlefield and crafted at least seven custom-coded Android malware packages for espionage (see: Ukraine Fends Off Sandworm Battlefield Espionage Ploy).

"The U.K. is committed to calling out Russian cyber aggression and we will continue to do so," said Paul Chichester, director of operations at Britain's National Cyber Security Center, a part of signals intelligence agency GCHQ.

The Western allies collectively dub the malware components "Infamous Chisel." They search for specific files and directory paths related to military applications.

The Five Eye's bottom-line assessment of the malware is that its components "are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity." But allies say they're not minimizing the danger posed by Infamous Chisel: "Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect."

Infamous Chisel provides network backdoor access through the TOR anonymity network and a secure shell for remote access. It replaces a legitimate Android networking function known as netd with a malicious version to achieve persistence. It is the only Infamous Chisel component that persists on infected devices, the Five Eyes report says.

"The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks," the report says.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.