Russian cyber group unleashes new malware campaign on Ukrainian military targets

A Russian cyber threat actor launched a novel malware campaign against Ukrainian military personnel, targeting Android devices to steal sensitive information from the battlefield, according to an international report published Wednesday.

Sandworm, a Russian state-sponsored threat actor linked to the Kremlin's military intelligence service, leveraged a mobile malware known as "Infamous Chisel" to infect Android devices and periodically scan files and network information for exfiltration, the report said. 

The new malware consists of a collection of components that gave the Russian threat actor backdoor access to infected devices to conduct network monitoring, traffic collection and file transfer operations. 

The report, which provides technical details into the new kind of malware, was published by the Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and several international partners, including the U.K. National Cyber Security Centre, the New Zealand National Cyber Security Centre and the Canadian Centre for Cyber Security. 

Ukraine's security agency first uncovered the Russian-linked cyberattack earlier this month when it announced that it "exposed and blocked" attempts by Sandworm to gain unauthorized access to a combat data exchange system maintained by the country's armed forces. 

"Since the first days of the full-scale war, we have been fending off cyberattacks of Russian intelligence services aiming to break our military command system and more," Illia Vitiuk, head of the Ukrainian security agency's cybersecurity department, said at the time. 

The new report assesses how Sandworm leveraged Infamous Chisel in an attempt to establish a persistent presence on impacted networks and includes indicators of compromise for affected devices. 

The malware can be used to steal a combination of system device information, the report said, including details about commercial applications and others specific to the Ukrainian military. 

CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in a statement that the joint report reflects the urgency for all international cyber defense partners "to detect and mitigate Russian cyber activity" and "the importance of continued focus on maintaining operational resilience under all conditions."

"For years, the U.S. government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” Goldstein added.

The U.S. and its international partners have provided Ukraine with cybersecurity assistance since before the start of the Russian invasion to help boost the country's cyber workforce and evade Russian cyberattacks. 

Earlier this year, the U.S. Agency for International Development announced a $60 million investment to help Ukraine ensure its critical infrastructure is protected against cyberattacks.