The UK and its Five Eyes partners (Australia, Canada, New Zealand and the US) officially support Ukraine’s attribution of Infamous Chisel, a new piece of malware infecting Ukraine’s military personnel’s mobile phones, to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
In a joint report published on August 31, 2023, the UK’s National Cyber Security Centre (NCSC) and six partner agencies analyzed Infamous Chisel.
The malware enables unauthorized access to compromised Android devices used by the Ukrainian military over the Tor network. It is designed to scan files, monitor traffic and periodically steal sensitive information.
The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military.
It also provides remote access by configuring and executing Tor with a hidden service that forwards to a modified Dropbear binary providing an SSH connection.
War in Ukraine Plays Out in Cyberspace
In the report, the seven agencies added that they “are aware that the actor known as Sandworm has used a new mobile malware in a campaign targeting Android devices used by the Ukrainian military.”
This correlates to the Security Service of Ukraine’s (SBU) attribution earlier in August when it first unveiled the campaign using Infamous Chisel.
Cybersecurity agencies in all Five Eyes countries have previously linked Sandworm to the Russian GRU's Main Centre for Special Technologies (GTsST).
Paul Chichester, NCSC director of operations, said in a statement that this new malicious campaign “illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace.”
In June, the UK Prime Minister announced that the UK-funded Ukraine Cyber Programme would be boosted by an additional injection of up to £25 million and a two-year expansion to help Ukraine protect its critical national infrastructure and vital public services online.