Bumble Dee - stock.adobe.com

Sandworm attacks Ukraine with Infamous Chisel malware

The UK and its allies have attributed a novel malware campaign against Ukrainian state targets to the Russian intelligence-backed Sandworm APT

The UK’s National Cyber Security Centre (NCSC) and its partner agencies in the Anglophone Five Eyes collective have formally attributed a campaign of cyber attacks against Ukrainian military targets to the Sandworm advanced persistent threat (APT) actor, backing up previous assertions by the Security Service of Ukraine (SBU), which first exposed the novel Infamous Chisel malware family used in the campaign earlier in August.

Infamous Chisel was used by Sandworm, which is backed by Russia’s military intelligence agency, the GRU, to target Android mobile devices owned by Ukraine’s armed forces. At a high level, its various components – of which 10 have been identified by the Ukrainians – were designed to snoop on compromised devices.

“The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyber space,” said NCSC operations director Paul Chichester.

“Our new report shares expert analysis of how this new malware operates, and is the latest example of our work with allies in support of Ukraine’s staunch defence,” he said. “The UK is committed to calling out Russian cyber aggression and we will continue to do so.”

The SBU said that, working alongside the Armed Forces of Ukraine, it had successfully prevented the Russians from gaining access to the sensitive data they sought, which is understood to have included information on where troops were being deployed, their movements and details of their technical provisioning.

“Since the first days of the full-scale war, we have been fending off cyber attacks of [the] Russian intelligence services aiming to break our military command system and more,” said SBU head of cyber security Illia Vitiuk.

“The operation we have carried out now is the cyber defence of our forces.”

How the campaign unfolded

The SSU’s cyber investigators found that the GRU managed to obtain tablets captured from the Ukrainians on the battlefield, and used them to abuse preconfigured access to penetrate the system and distribute malicious files to other Android devices, in what they described as a “long-term and thorough” preparation stage.

The various components of Infamous Chisel worked together to enable persistent access to an infected Android device via the Tor network, which was achieved by configuring and executing Tor with a hidden service that forwarded to a modified Dropbear binary providing a secure socket shell (SSH) connection.

Periodically, it would collate and exfiltrate victim information after scanning for a predefined set of file extensions. It also scanned and monitored the local networks where it found itself to collate various data points, such as active hosts and open ports.

All about Sandworm

Sandworm, also known as Voodoo Bear, has been active for several years, first coming to attention with a 2015 attack on the Ukrainian power grid, and achieving infamy in 2017 with the NotPetya attacks.

It also supposedly attacked the Organisation for the Prohibition of Chemical Weapons (OPCW) during its probe of Russia’s use of chemical weapons on UK soil.

Several members of the group were indicted by the US in late 2020, relating to attacks on the 2018 Winter Olympics and the Georgian government.

Since Russia’s invasion of Ukraine, the group has been identified as the source of other botnets and malwares, perhaps most notably an updated version of its Industroyer malware, Industroyer2, which was used in cyber attacks on Ukrainian utilities in April 2022.

The NCSC said the various components were of low to medium sophistication, and seemed to have been developed without much regard to defence evasion or concealment of their activity. Sandworm may have left out such features since many Android devices don’t have a host-based detection system.

The NCSC’s report did, however, note two interesting techniques that are present in Infamous Chisel. First, one component replaces a legitimate executable, netd, to maintain persistence. Second, the modification of the authentication function in the components that included dropbear stands out.

Both of these techniques require a good level of C++ knowledge and an understanding of Linux authentication and boot mechanisms, said the NCSC.

The agency added that even with the lack of attention paid to concealment functions, Infamous Chisel still presented a serious threat due to the nature of the information it was designed to steal.

At the time of writing, the NCSC has made no suggestion that Infamous Chisel has been deployed against any other targets, nevertheless, a full list of indicators of compromise and Yara rules is included in the report.

Read more on Hackers and cybercrime prevention