The UK’s National Cyber Security Centre (NCSC) and its partner agencies in the Anglophone Five Eyes collective have formally attributed a campaign of cyber attacks against Ukrainian military targets to the Sandworm advanced persistent threat (APT) actor, backing up previous assertions by the Security Service of Ukraine (SBU), which first exposed the novel Infamous Chisel malware family used in the campaign earlier in August.
Infamous Chisel was used by Sandworm, which is backed by Russia’s military intelligence agency, the GRU, to target Android mobile devices owned by Ukraine’s armed forces. At a high level, its various components – of which 10 have been identified by the Ukrainians – were designed to snoop on compromised devices.
“The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyber space,” said NCSC operations director Paul Chichester.
“Our new report shares expert analysis of how this new malware operates, and is the latest example of our work with allies in support of Ukraine’s staunch defence,” he said. “The UK is committed to calling out Russian cyber aggression and we will continue to do so.”
The SBU said that, working alongside the Armed Forces of Ukraine, it had successfully prevented the Russians from gaining access to the sensitive data they sought, which is understood to have included information on where troops were being deployed, their movements and details of their technical provisioning.
“Since the first days of the full-scale war, we have been fending off cyber attacks of [the] Russian intelligence services aiming to break our military command system and more,” said SBU head of cyber security Illia Vitiuk.
“The operation we have carried out now is the cyber defence of our forces.”
How the campaign unfolded
The SSU’s cyber investigators found that the GRU managed to obtain tablets captured from the Ukrainians on the battlefield, and used them to abuse preconfigured access to penetrate the system and distribute malicious files to other Android devices, in what they described as a “long-term and thorough” preparation stage.
The various components of Infamous Chisel worked together to enable persistent access to an infected Android device via the Tor network, which was achieved by configuring and executing Tor with a hidden service that forwarded to a modified Dropbear binary providing a secure socket shell (SSH) connection.
Periodically, it would collate and exfiltrate victim information after scanning for a predefined set of file extensions. It also scanned and monitored the local networks where it found itself to collate various data points, such as active hosts and open ports.
The NCSC said the various components were of low to medium sophistication, and seemed to have been developed without much regard to defence evasion or concealment of their activity. Sandworm may have left out such features since many Android devices don’t have a host-based detection system.
The NCSC’s report did, however, note two interesting techniques that are present in Infamous Chisel. First, one component replaces a legitimate executable, netd, to maintain persistence. Second, the modification of the authentication function in the components that included dropbear stands out.
Both of these techniques require a good level of C++ knowledge and an understanding of Linux authentication and boot mechanisms, said the NCSC.
The agency added that even with the lack of attention paid to concealment functions, Infamous Chisel still presented a serious threat due to the nature of the information it was designed to steal.
At the time of writing, the NCSC has made no suggestion that Infamous Chisel has been deployed against any other targets, nevertheless, a full list of indicators of compromise and Yara rules is included in the report.