A coalition of Western intelligent agencies assert the threat group known as Sandworm is targeting Android handsets used by Ukrainian military personnel.
Sandworm, which has been linked to Russia's military intelligence agency, has been infecting devices with Infamous Chisel malware, which scans files, monitor traffic and steal data from compromised military devices, according to a joint international investigation which posted its findings on Thursday.
Infamous Chisel as “a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices," according to the report.
The malware itself is described as being of “low to medium sophistication” and “developed with little regard to defense evasion or concealment of malicious activity”.
Ukraine’s security agency first disclosed the Infamous Chisel campaign in early August, saying it had blocked Sandworm’s attempts to access Ukraine’s armed forces’ combat data exchange system to steal military intelligence information. The SBU believed the Infamous Chisel campaign was launched after Russia’s intelligence services analyzed Ukrainian military tablets retrieved from the battlefield.
The advanced persistent threat (APT) group has been tied to multiple cyberattacks against Ukraine since Russia’s invasion in February 2022. The joint report described the malware as being of “low to medium sophistication” and “developed with little regard to defense evasion or concealment of malicious activity”.
The Infamous Chisel analysis report said the malware had been used to exfiltrate information from both commercial apps and others specific to the Ukrainian military that were loaded on the targeted Android devices.
“The malware periodically scans the device for information and files of interest, matching a predefined set of file extensions. It also contains functionality to periodically scan the local network collating information about active hosts, open ports, and banners,” the report said.
“Infamous Chisel also provides remote access by configuring and executing Tor with a hidden service which forwards to a modified Dropbear binary providing a SSH connection. Other capability includes network monitoring and traffic collection, SSH access, network scanning, and SCP file transfer.”
The 35-page report – published jointly by CISA, FBI, NSA and the Five Eyes partner nations.