GRU hacking tools targeting Ukrainian military hardware detailed by Five Eyes
Western intelligence and cybersecurity agencies published a report on Thursday highlighting a range of hacking tools used by Russian military intelligence against Android devices operated by the Ukrainian armed forces.
the a reportpublished by Britain’s National Cyber Security Center (NCSC) — along with agencies in the US, Canada, Australia and New Zealand, which make up the Five Eyes intelligence alliance — calls the malware “Infamous Chisel.”
It details how GRU malware enables unauthorized access to compromised devices by scanning files, monitoring traffic, and periodically stealing sensitive information.
“The Infamous Chisel is a set of components that enable persistent access to an infected Android device over the Tor network, which periodically collects and exfiltrates victim information from compromised devices,” the report explains, referring to the technology that anonymizes traffic on… Internet.
The GRU’s hacking campaign was first revealed by the Security Service of Ukraine (SBU) earlier this month, when the agency announced it had blocked attempts by state-controlled Russian hackers to break into Ukraine’s battlefield management system.
According to the Ukrainian Security Service, the campaign was carried out by the hacking group known as Sandworm and targeted Android tablets used by the Ukrainian military to plan and execute combat missions, with the aim of gaining access to other connected devices.
According to the new report, the components that make up the malware are “low to moderate complexity and appear to have been developed with little interest in defensive evasion or concealment of malicious activity.”
They lack “basic obfuscation or stealth techniques to hide the activity” according to the NCSC, though the agency says the hackers behind the malware may have assumed this was unnecessary because many Android devices don’t have a host-based detection system.
The report credits the malware with two interesting techniques, including how it maintains persistence by replacing the legitimate netd binary with a malicious version, and providing hackers with remote access to devices “by configuring and executing Tor using a hidden service that redirects to a binary.” A modified Dropbear that provides an SSH connection.” Dropbear is a legitimate, open source Unix-based software for Secure Shell (SSH) servers, which encrypts network traffic.
“These techniques require a good level of knowledge of the C++ language to make modifications and awareness of Linux authentication and boot mechanisms,” the report says.
Sandworm, which was also behind attacks on Ukraine’s power grid in 2015, as well as the disastrous NotPetya malware that initially targeted Ukraine before spreading out of control, has previously been attacked. attributed To the main center for special technologies of the GRU, GTsST.
“The revelation of this malicious campaign against Ukrainian military targets demonstrates how Russia’s illegal war in Ukraine continues in cyberspace,” said Paul Chichester, director of operations for the National Cyber Security Center.
“Our new report shares expert analysis on how this new malware works and is the latest example of our work with allies to support Ukraine’s strong defence. The UK is committed to tackling Russian cyber aggression and we will continue to do so.”
The agency warns that despite the lack of cloaking functions, the malware components pose a “serious threat due to the impact of the information they can collect.”
recorded future
intelligence cloud.
