therecord.media
Open in
urlscan Pro
2606:4700:4400::6812:20b5
Public Scan
URL:
https://therecord.media/ukraine-battlefield-tablets-malware-sandworm-gru-five-eyes-report
Submission: On September 01 via api from TR — Scanned from DE
Submission: On September 01 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe A Ukrainian fighter uses a tablet computer. Image: IMAGE: Army SOS / Facebook Alexander MartinAugust 31st, 2023 * Nation-state * Malware * News * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. GRU HACKING TOOLS TARGETING UKRAINIAN MILITARY DEVICES DETAILED BY FIVE EYES Western intelligence and cybersecurity agencies published a report on Thursday highlighting a collection of hacking tools being used by Russia’s military intelligence service against Android devices operated by the Ukrainian Armed Forces. The report, published by Britain’s National Cyber Security Centre (NCSC) — alongside agencies in the United States, Canada, Australia and New Zealand, who form the Five Eyes intelligence alliance — names the malware “Infamous Chisel.” It details how the malware enables the GRU to acquire unauthorized access to compromised devices before scanning files, monitoring traffic and periodically stealing sensitive information. “Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices,” explains the report, referencing the technology that anonymizes internet traffic. Read More: Gamaredon hackers target Ukrainian military orgs amid counteroffensive efforts The GRU’s hacking campaign was first publicly disclosed by Ukraine’s security service (SBU) earlier this month, when the agency announced it had prevented attempts by Russian state-controlled hackers to break into Ukraine’s battlefield management system. According to the SBU, the campaign was conducted by the hacking group known as Sandworm and targeted Android tablets the Ukrainian military uses to plan and execute combat missions, with the intention of gaining access to other connected devices. The components making up the malware “are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity,” according to the new report. They lack “basic obfuscation or stealth techniques to disguise activity” according to the NCSC, although the agency says that the hackers behind the malware may have assumed this was unnecessary as many Android devices don’t have a host-based detection system. The report does credit the malware for two interesting techniques, including how it maintains persistence by replacing the legitimate netd system binary with a malicious version, and providing the hackers with remote access to the devices “by configuring and executing Tor with a hidden service which forwards to a modified Dropbear binary providing a SSH connection.” Dropbear is legitimate open source Unix-based software for Secure Shell (SSH) servers, which encrypt network traffic. “These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms,” states the report. Sandworm, which was also behind attacks on Ukraine’s power grid in 2015, as well as the catastrophic NotPetya malware which initially targeted Ukraine before spreading out of control, has previously been attributed to the GRU’s Main Centre for Special Technologies, GTsST. Paul Chichester, the NCSC’s director of operations, said: “The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace. “Our new report shares expert analysis of how this new malware operates and is the latest example of our work with allies in support of Ukraine’s staunch defence. The UK is committed to calling out Russian cyber aggression and we will continue to do so.” The agency warns that despite the lack of concealment functions, the malware components pose “a serious threat because of the impact of the information they can collect.” * * * * * Tags * Russia * Ukraine * UK NCSC * United States * New Zealand * Australia * Canada * Five Eyes * hardware * GRU * Sandworm ALEXANDER MARTIN Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative. Previous articleNext article Internet access in Gabon restored after post-election coup NSA insider to succeed George Barnes as agency’s deputy director BRIEFS * Paramount confirms data breach after cyberattackAugust 31st, 2023 * NSA insider to succeed George Barnes as agency’s deputy directorAugust 31st, 2023 * Internet access in Gabon restored after post-election coupAugust 30th, 2023 * China-linked hackers spy on Android users through fake messenger appsAugust 30th, 2023 * Network technology giant Juniper warns users about denial-of-service bugsAugust 30th, 2023 * Netgear releases patches for two high-severity vulnerabilitiesAugust 30th, 2023 * Japan’s cybersecurity agency breached by suspected Chinese hackers: reportAugust 29th, 2023 * US food delivery service PurFoods discloses data breachAugust 28th, 2023 * ‘Incredible concern and anger’ among Metropolitan Police after hackers breach dataAugust 28th, 2023 EMPIRE DRAGON ACCELERATES COVERT INFORMATION OPERATIONS, CONVERGES WITH RUSSIAN NARRATIVES Empire Dragon Accelerates Covert Information Operations, Converges with Russian Narratives CONVERGING NARRATIVES ON HAWAII WILDFIRES ADVANCE DIFFERENT INFLUENCERS’ OBJECTIVES Converging Narratives on Hawaii Wildfires Advance Different Influencers’ Objectives MALIGN NARRATIVES OPPOSE “THE VOICE” AHEAD OF AUSTRALIA’S REFERENDUM Malign Narratives Oppose “the Voice” Ahead of Australia’s Referendum H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN SECURITY DEFENSES Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News