Chisel Cyberattack Ukraine: US Agency Reveals Infamous Threat
Intelligence agencies from the United States (US), Canada, Australia, New Zealand, and the United Kingdom (UK) recently collaborated to shed light on the Chisel cyberattack Ukraine. US cybersecurity report on Chisel attack has revealed the facts of a notorious mobile malware strain known as Infamous Chisel, which has been causing havoc on the Ukrainian military’s Android devices.
This malevolent software, linked to an allegedly Russian state-sponsored entity known as Sandworm, possesses a malicious set of features. They can help attackers gain unauthorized access to compromised devices and allow them to scan files, monitor network traffic, and steal important information invisibly.
Ukrainian Military’s Encounter with Infamous Chisel
In August, the Ukrainian Security Service (SBU) identified specific components of Infamous Chisel, exposing the adversary’s unsuccessful attempts to enter Ukrainian military networks and obtain important intelligence. Notably, Russian forces obtained Ukrainian military tablets and used them as a launching pad to wirelessly transmit malware to other devices via the Android Debug Bridge (ADB) command-line tool. Protecting the Ukrainian military from cyber threats has, therefore, become more crucial than ever.
Meet Sandworm: The Chisel Cyberattack Ukraine Culprit
Sandworm, the perpetrator of Infamous Chisel, is a Russian Main Intelligence Directorate (GRU) entity that also goes by the identities FROZENBARENTS, Iron Viking, Seashell Blizzard, and Voodoo Bear. Sandworm has been active since at least 2014, becoming well-known for a series of disruptive and damaging cyber-attacks using malware such as Industroyer, BlackEnergy, and NotPetya.
In July 2023, Google-owned Mandiant drew attention to the fact that the GRU’s cyber activities follow a systematic playbook that provides tactical and strategic benefits. This allows threat actors to quickly adapt to a fast-paced and intensely competitive working environment, maximizing their speed, scale, and intensity while avoiding suspicion.
Chisel Malware Details and Analysis
Infamous Chisel is a complicated malware composed of numerous components designed solely to enable remote access and data exfiltration from Android phones. Aside from checking devices for information and files with specific extensions, the malware can also scan the local network on a regular basis and provide SSH access. This highlights the intensity of the recent cyber threats against Ukraine.
One interesting feature is its ability to provide remote access by setting and running TOR with a hidden service that forwards to a modified Dropbear binary, allowing the actor to target SSH servers. Each module of Infamous Chisel performs a specific function. This ranges from data collection and exfiltration to TOR services and secure shell access to the infected device.
To keep the device alive, Infamous Chisel replaces the official netd daemon, which is in charge of network setup on Android, with a rogue version in this Ukraine military cybersecurity breach. This rogue program grants Infamous Chisel the ability to run commands as the root user. The malware’s exfiltration procedure is systematically carried out, with file and device data collated daily, vital military data siphoned off every 10 minutes, and the local network scanned every two days.
Uncomplicated Yet Effective
Despite their malicious intent, the components of the Chisel cyberattack Ukraine are of low to medium sophistication, with no fundamental obfuscation or stealth measures to mask their operations. This could be because many Android devices lack host-based detection systems, rendering disguise unnecessary.
Gamaredon Emergence: Another Threat to Ukraine
The Chisel cyberattack impact on national security has been highlighted in a related development. Ukraine’s National Cybersecurity Coordination Centre (NCSCC) has discovered the phishing activities of another Kremlin-backed hacking group known as Gamaredon (also known as Aqua Blizzard, Shuckworm, or UAC-0010). Since 2013, Gamaredon has been actively targeting Ukraine, with a renewed emphasis on military and government agencies, in order to gather critical data relevant to counter-offensive operations against Russian forces.
US-Ukraine cybersecurity collaboration has revealed that Gamaredon uses a variety of strategies to infect victims. This includes the use of stolen genuine papers from compromised organizations. To access information relevant to its command-and-control infrastructure, the gang uses Telegram and Telegraph as dead-drop resolvers. Gamaredon’s malware arsenal, which includes GammaDrop, GammaLoad, GammaSteel, LakeFlash, and Pterodo, enables targeted system invasion and takeover.
While Gamaredon is not the most technically advanced threat group, its methodical evolution and increasing frequency of ransomware attacks indicate that its operational capabilities and resources are expanding in the Ukraine cyber threat landscape. The Chisel cyberattack Ukraine highlights the essential need for strong cybersecurity measures for governments and organizations alike as they struggle to protect sensitive data and maintain the integrity of their operations in an increasingly dangerous digital environment.