Ukraine Fends Off Sandworm Battlefield Espionage PloyRussian Military Hackers Planned Mobile Device Malware Campaign
Ukrainian cyber defenders said they had thwarted an attempt by Russian military intelligence to deploy widespread malware programmed to spy on battlefield management apps.
The Security Service of Ukraine, known as the SBU, and military investigators said Russian hackers known as Sandworm operating in the GRU Main Intelligence Directorate had planned a campaign based on at least seven custom-coded Android malware packages.
Ukraine uses a variety of apps to manage the battlefield and improve artillery targeting. In a report published Tuesday, Kyiv authorities said Sandworm had obtained Ukrainian military mobile devices captured on the battlefield.
Russian hackers' preparation for the malware campaign was "long-term and thorough," the SBU said. Among their targets were communications made over the Starlink satellite system, the mega-constellation of 3,500 satellites in low Earth orbit used by Kyiv for military communications, including with drones to identify Russian targets and guide artillery strikes (see: Pentagon to Pay Starlink for Ukraine's Satellite Broadband). Malware Ukraine identifies as STL is designed to collect communications made through Starlink.
Sandworm has targeted Ukraine with cyberattacks for more than half a decade including two disruptions of the electricity grid prior to Russia's February 2022 invasion of its European neighbor. Threat intelligence firm Mandiant in 2022 characterized the hacking group as likely posing Kyiv's "greatest threat for destructive and disruptive attacks." Recent attacks linked to Sandworm include a previously unknown wiper detected earlier this year and a malicious script for deleting files (see: WinRAR Weaponized for Attacks on Ukrainian Public Sector).
Sandworm's path to infection of military mobile devices was Android Debug Bridge, a mobile operating system command-line tool intended for developers.
Other malware packages disclosed by the SBU include one dubbed NETD, which ensures persistence even after a device factory reset, and another called DropBear, which gives hackers remote access to infected devices.
Sandworm used obfuscation techniques to avoid detection - including using legitimate filenames and processes for its malware.
"Since the first days of the full-scale war, we have been fending off cyberattacks of Russian intelligence services aiming to break our military command system and more," said Illia Vitiuk, head of the SBU Cyber Security Department.