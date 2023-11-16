Western intelligence and cybersecurity agencies have recently released a report highlighting a set of hacking tools used by Russia’s military intelligence service, the GRU, to target Android devices operated by the Ukrainian Armed Forces. The report, published by the National Cyber Security Centre (NCSC) in the UK, along with agencies from the United States, Canada, Australia, and New Zealand, sheds light on the capabilities of the malware known as “Infamous Chisel.”

Infamous Chisel allows the GRU to gain unauthorized access to compromised devices, enabling them to scan files, monitor traffic, and periodically extract sensitive information. The malware uses components that provide persistent access over the Tor network, a technology that anonymizes internet traffic. These components collect and exfiltrate victim information from compromised devices.

The GRU’s hacking campaign, which was first revealed by Ukraine’s security service (SBU), involved the hacking group Sandworm. The group targeted Android tablets utilized by the Ukrainian military for planning and executing combat missions, aiming to gain access to other connected devices. The malware is described as having low to medium sophistication and lacking defense evasion or concealment techniques. The report notes that the hackers may have assumed these techniques were unnecessary due to the absence of host-based detection systems in many Android devices.

The report credits the malware for two noteworthy techniques. Firstly, it maintains persistence by replacing the legitimate netd system binary with a malicious version. Secondly, it provides remote access to the devices by configuring and executing Tor with a hidden service that forwards to a modified Dropbear binary, allowing for an SSH connection. Dropbear is legitimate open source software for SSH servers that encrypt network traffic.

Both of these techniques require a good understanding of C++ and familiarity with Linux authentication and boot mechanisms. Sandworm, the group responsible for the GRU’s hacking campaign, has previously been linked to attacks on Ukraine’s power grid in 2015 and the notorious NotPetya malware, which initially targeted Ukraine before spreading uncontrollably.

Paul Chichester, the director of operations at NCSC, emphasized the significance of exposing this malicious campaign against Ukrainian military targets. He stated that it highlights the ongoing cyber warfare waged by Russia’s illegal war in Ukraine. The report serves as an example of the collaboration between the UK and its allies in supporting Ukraine’s defense efforts. The UK remains committed to denouncing Russian cyber aggression.

Despite the lack of concealment functions, the malware’s components pose a serious threat due to the information they can collect. The report warns about the potential impact of the malware’s capabilities.

Frequently Asked Questions (FAQ)

Q: What is GRU?

A: GRU stands for Main Intelligence Agency, which is the foreign military intelligence agency of Russia.

Q: What is malware?

A: Malware, short for malicious software, refers to any software intentionally designed to harm, exploit, or gain unauthorized access to computer systems.

Q: What is the Tor network?

A: The Tor network is a system that enables anonymous communication by redirecting internet traffic through a network of relay nodes, making it difficult to track the origin or destination of the communication.

Sources:

– Recorded Future News