GRU hacking tools targeting Ukrainian military devices detailed by Five Eyes

Western intelligence and cybersecurity agencies published a report on Thursday highlighting a collection of hacking tools being used by Russia’s military intelligence service against Android devices operated by the Ukrainian Armed Forces.

The report, published by Britain’s National Cyber Security Centre (NCSC) — alongside agencies in the United States, Canada, Australia and New Zealand, who form the Five Eyes intelligence alliance — names the malware “Infamous Chisel.”

It details how the malware enables the GRU to acquire unauthorized access to compromised devices before scanning files, monitoring traffic and periodically stealing sensitive information.

“Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices,” explains the report, referencing the technology that anonymizes internet traffic.

Read More: Gamaredon hackers target Ukrainian military orgs amid counteroffensive efforts

The GRU’s hacking campaign was first publicly disclosed by Ukraine’s security service (SBU) earlier this month, when the agency announced it had prevented attempts by Russian state-controlled hackers to break into Ukraine’s battlefield management system.

According to the SBU, the campaign was conducted by the hacking group known as Sandworm and targeted Android tablets the Ukrainian military uses to plan and execute combat missions, with the intention of gaining access to other connected devices.

The components making up the malware “are low to medium sophistication and appear to have been developed with little regard to defence evasion or concealment of malicious activity,” according to the new report.

They lack “basic obfuscation or stealth techniques to disguise activity” according to the NCSC, although the agency says that the hackers behind the malware may have assumed this was unnecessary as many Android devices don’t have a host-based detection system.

The report does credit the malware for two interesting techniques, including how it maintains persistence by replacing the legitimate netd system binary with a malicious version, and providing the hackers with remote access to the devices “by configuring and executing Tor with a hidden service which forwards to a modified Dropbear binary providing a SSH connection.” Dropbear is legitimate open source Unix-based software for Secure Shell (SSH) servers, which encrypt network traffic.

“These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms,” states the report.

Sandworm, which was also behind attacks on Ukraine’s power grid in 2015, as well as the catastrophic NotPetya malware which initially targeted Ukraine before spreading out of control, has previously been attributed to the GRU’s Main Centre for Special Technologies, GTsST.

Paul Chichester, the NCSC’s director of operations, said: “The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace.

“Our new report shares expert analysis of how this new malware operates and is the latest example of our work with allies in support of Ukraine’s staunch defence. The UK is committed to calling out Russian cyber aggression and we will continue to do so.”

The agency warns that despite the lack of concealment functions, the malware components pose “a serious threat because of the impact of the information they can collect.”