Russia-linked Cyber Crew Targets Ukrainian Military with Infamous Chisel Malware

A Russian cyber crew is believed to be orchestrating a new malware campaign, dubbed Infamous Chisel, directed at the Ukrainian military, according to a joint report by the Five Eyes intelligence alliance.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and cyber agencies in Australia, Canada, United Kingdom and New Zealand have collaborated to produce the advisory that provides technical details of the new malware variant used to target Android devices used by Ukrainian military personnel.

The campaign, which was publicly uncovered by Ukraine’s security agency earlier this month, is believed to be the work of Sandworm, the advanced persistent threat operatives linked to the GRU, Russia’s military intelligence service. Sandworm is reportedly behind earlier attacks on Ukraine’s power grid in 2017 and the NotPetya malware operation.

What is Infamous Chisel?

Here’s what’s known about Infamous Chisel at this point:

  • It’s a collection of components targeting Android devices.
  • It performs periodic scanning of files and network information for exfiltration.
  • System and application configuration files are exfiltrated from an infected device.
  • Network backdoor access comes via a Tor (The Onion Router) hidden service and Secure Shell.
  • Other capabilities include network monitoring, traffic collection, SSH access, network scanning and SCP file transfer.

The U.S. and the U.K. have previously attributed Sandworm to the Russian GRU’s Main Centre for Special Technologies (GTsST).

CISA Issues Warning

Even though the Infamous Chisel campaign appears for now to be solely aimed against Ukraine, it may become a more widespread malware campaign, CISA warned in the report.

“For years, the U.S. Government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” said Eric Goldstein, CISA executive assistant director for cybersecurity. “Today’s joint report reflects the value of deep collaboration across our international cyber defense partners, the need for all organizations to keep their Shields Up to detect and mitigate Russian cyber activity, and the importance of continued focus on maintaining operational resilience under all conditions.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.