NCSC, SBU reveal overt Russian cyber campaign as cyber war continues to evolve

The UK’s National Cyber Security Centre (NCSC) and joint partners have issued a report into a new malware linked to the Sandworm group openly targeting Ukrainian military devices.

‘Infamous Chisel’ is an infostealer malware that was found targeting Android devices in use by Ukrainian military personnel on the front lines as a possible first step towards a wider-scale compromise of Ukrainian military networks.

Though the malware largely contains standard components implemented with intermediate sophistication, and was easily discovered via an investigation, researchers noted that Android has no automatic detection for attacks of this kind.

The authors also noted the overt nature of the campaign was matched by the serious danger associated with any exfiltration of sensitive Ukrainian military data. 

According to the NCSC, Infamous Chisel made little attempt to obscure its activities from security services but had been specially crafted to establish persistence on victims’ devices. 

The Security Service of Ukraine (SBU) discovered and eradicated the malware on Android tablets, and shared its findings with international partners.

“Since the first days of the full-scale war, we have been fending off cyber attacks of Russian intelligence services aiming to break our military command system and more,” said Illia Vitiuk, head of the SBU’s cyber security department.

“The operation we have carried out now is the cyber defense of our forces.”

The SBU first published a report on Infamous Chisel on 8 August, in which it stated that it was confident the APT group Sandworm was behind the malware campaign.

In the weeks after, the NCSC worked on analyzing the threat with international partners including the US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), New Zealand’s National Cyber Security Centre (NCSC-NZ), and the Canadian Centre for Cyber Security.

Paul Chichester, director of operations at the NCSC, noted that the campaign represents a new evolution in Russia’s ongoing cyber campaigns against Ukraine and its allies.

“The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace,” he said.

“Our new report shares expert analysis of how this new malware operates and is the latest example of our work with allies in support of Ukraine’s staunch defense. The UK is committed to calling out Russian cyber aggression and we will continue to do so.”

The NCSC has linked Sandworm to Russia’s Main Intelligence Directorate (GRU), specifically its Unit 74455 which is otherwise known as the Main Centre for Special Technologies GTsST.

Previously tracked by Microsoft as IRIDIUM, and now known under the name Seashell Blizzard, Sandworm is the main suspect behind the NotPetya attacks that in 2017 encrypted Ukrainian financial, energy, and government systems. 

The NCSC has also credited Sandworm with a 2018 attempt to breach UK Defence and Science Technology Laboratory (DSTL) systems, as well as widespread description of Georgian government websites.

In November 2022 the UK government specifically named Sandworm’s ‘Industroyer2’ malware as a strain of concern, and pledged to provide Ukraine with £6.35 million ($8 million) for cyber defense which has since been increased to up to £25 million ($32 million).

The Industroyer family targets industrial control systems (ICS) and is part of a wave of new threats against critical national infrastructure (CNI).

How does Infamous Chisel operate?

Infamous Chisel is made up of several main components named ‘netd’, ‘killer’, ‘blob’, and ‘td’ which all perform different functions.

‘Netd’ replaces the default binary of the same name within Android’s system directory, which allows it to achieve persistence. Its main function is to exfiltrate data, which it performs approximately once per day. It collects a wide range of file types, including .dat, .bat, .txt, and .xml. 

The component collects device information as well as any network and application data specific to the Ukraine military. It scans all networks available via the Transmission Control Protocol (TCP) ports approximately every two days, and collects network information as .tmp and .csv text files for exfiltration.

The SBU described some of its behavior as consistent with Russian intelligence activities, and the NCSC noted that network scanning of this kind suggests an intent for lateral attacks down the line.

Once collected, the malware uses the ‘blob’ and ‘td’ components to establish a connection with a hard-coded local IP via the open-source anonymous browser The Onion Router (Tor). The software package ‘dropbear’ maintains the threat actor’s remote access to the infected device via port 34371.

‘Killer’ is simply used to end ‘netd’ by remote threat actor command.

The SBU additionally identified a component named ‘stl’, through which the malware collects data on the device’s connection to the Starlink satellite constellation, as well as two components used to download additional Trojans.

Ukrainian forces have made extensive use of SpaceX’s Starlink since Russia’s invasion, to stay connected in areas with poor traditional connectivity. Its fleet of low-earth orbit (LEO) satellites has been a reliable platform for crucial networks, amid Russian missile and cyber attacks on other communications networks.

Initially provided to Ukraine for free, the New York Times has since reported that SpaceX has requested funds from the Department of Defense (DoD) to subsidize its operating costs and that Elon Musk has personally intervened to ‘geofence’ Starlink access within Ukraine. 

It’s possible that this has curtailed Ukrainian troops from accessing the internet via Starlink in regions under Russian occupation.