Western Intelligence Alliance Publishes Details of ‘Infamous Chisel’ Campaign
Western intelligence agencies lent authority Thursday to a Ukrainian exposé unmasking a campaign by Russian military state hackers targeting battlefield Android devices.
Agencies from the Five Eyes intelligence alliance of Australia, Canada, New Zealand, the United Kingdom and the United States confirmed in a report that malware “associated” with Russia’s GRU Main Intelligence Directorate exfiltrates data from Ukrainian military applications running on Android devices.
Ukraine uses a slew of apps to manage the battlefield and improve artillery targeting against Russian invaders. In a report published earlier this month, Kyiv authorities said the GRU’s Sandworm hacking group had obtained Ukrainian military mobile devices captured on the battlefield and crafted at least seven custom-coded Android malware packages for espionage (see: Ukraine Fends Off Sandworm Battlefield Espionage Ploy).
“The U.K. is committed to calling out Russian cyber aggression and we will continue to do so,” said Paul Chichester, director of operations at Britain’s National Cyber Security Center, a part of signals intelligence agency GCHQ.
The Western allies collectively dub the malware components “Infamous Chisel.” They search for specific files and directory paths related to military applications.
The Five Eye’s bottom-line assessment of the malware is that its components “are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.” But allies say they’re not minimizing the danger posed by Infamous Chisel: “Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect.”
Infamous Chisel provides network backdoor access through the TOR anonymity network and a secure shell for remote access. It replaces a legitimate Android networking function known as
netd with a malicious version to achieve persistence. It is the only Infamous Chisel component that persists on infected devices, the Five Eyes report says.
“The searching of specific files and directory paths that relate to military applications and exfiltration of this data reinforces the intention to gain access to these networks,” the report says.